generalized range_query class for multiple contexts

As part of the ranger work, we have been trying to clean up and 
generalize interfaces whenever possible.  This not only helps in 
reducing the maintenance burden going forward, but provides mechanisms 
for backwards compatibility between ranger and other providers/users of 
ranges throughout the compiler like evrp and VRP.

One such interface is the range_query class in vr_values.h, which 
provides a range query mechanism for use in the simplify_using_ranges 
module.  With it, simplify_using_ranges can be used with the ranger, or 
the VRP twins by providing a get_value_range() method.  This has helped 
us in comparing apples to apples while doing our work, and has also 
future proofed the interface so that asking for a range can be done 
within the context in which it appeared.  For example, get_value_range 
now takes a gimple statement which provides context.  We are no longer 
tied to asking for a global SSA range, but can ask for the range of an 
SSA within a statement.  Granted, this functionality is currently only 
in the ranger, but evrp/vrp could be adapted to pass such context.

The range_query is a good first step, but what we really want is a 
generic query mechanism that can ask for SSA ranges within an 
expression, a statement, an edge, or anything else that may come up.  We 
think that a generic mechanism can be used not only for range producers, 
but consumers such as the substitute_and_fold_engine (see get_value 
virtual) and possibly the gimple folder (see valueize).

The attached patchset provides such an interface.  It is meant to be a 
replacement for range_query that can be used for vr_values, 
substitute_and_fold, the subsitute_and_fold_engine, as well as the 
ranger.  The general API is:

class value_query
{
public:
   // Return the singleton expression for NAME at a gimple statement,
   // or NULL if none found.
   virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
   // Return the singleton expression for NAME at an edge, or NULL if
   // none found.
   virtual tree value_on_edge (edge, tree name);
   // Return the singleton expression for the LHS of a gimple
   // statement, assuming an (optional) initial value of NAME.  Returns
   // NULL if none found.
   //
   // Note this method calculates the range the LHS would have *after*
   // the statement has executed.
   virtual tree value_of_stmt (gimple *, tree name = NULL);
};

class range_query : public value_query
{
public:
   range_query ();
   virtual ~range_query ();

   virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
   virtual tree value_on_edge (edge, tree name) OVERRIDE;
   virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;

   // These are the range equivalents of the value_* methods.  Instead
   // of returning a singleton, they calculate a range and return it in
   // R.  TRUE is returned on success or FALSE if no range was found.
   virtual bool range_of_expr (irange &r, tree name, gimple * = NULL) = 0;
   virtual bool range_on_edge (irange &r, edge, tree name);
   virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);

   // DEPRECATED: This method is used from vr-values.  The plan is to
   // rewrite all uses of it to the above API.
   virtual const class value_range_equiv *get_value_range (const_tree,
							  gimple * = NULL);
};

The duality of the API (value_of_* and range_on_*) is because some 
passes are interested in a singleton value 
(substitute_and_fold_enginge), while others are interested in ranges 
(vr_values).  Passes that are only interested in singletons can take a 
value_query, while passes that are interested in full ranges, can take a 
range_query.  Of course, for future proofing, we would recommend taking 
a range_query, since if you provide a default range_of_expr, sensible 
defaults will be provided for the others in terms of range_of_expr.

Note, that the absolute bare minimum that must be provided is a 
value_of_expr and a range_of_expr respectively.

One piece of the API which is missing is a method  to return the range 
of an arbitrary SSA_NAME *after* a statement.  Currently range_of_expr 
calculates the range of an expression upon entry to the statement, 
whereas range_of_stmt calculates the range of *only* the LHS of a 
statement AFTER the statement has executed.

This would allow for complete representation of the ranges/values in 
something like:

     d_4 = *g_7;

Here the range of g_7 upon entry could be VARYING, but after the 
dereference we know it must be non-zero.  Well for sane targets anyhow.

Choices would be to:

   1) add a 4th method such as "range_after_stmt", or

   2) merge that functionality with the existing range_of_stmt method to 
provide "after" functionality for any ssa_name.  Currently the SSA_NAME 
must be the same as the LHS if specified.  It also does not need to be 
specified to allow evaluation of statements without a LHS, (if (x < 1) 
has no LHS, but will return [0,0] [1,1] or [0,1] as there is a boolean 
"result" to the statement.

Also, we've debated whether to use the two classes (value_query and 
range_query) separately as above, or perhaps join them into one class. 
I personally like the separation of powers.  Some users only care for 
singletons, no sense in polluting their implementations with talk of 
ranges.  But we're open to suggestions.

The patchset is divided into 3 parts:

1. Generic implementation of class.

2. Conversion of vr_values and substitute_and_fold_engine to class.

The conversion of the substitute_and_fold_engine class involved changing 
all calls to get_value() to a corresponding method providing context. 
For example, when the edge or statement is available, we pass these to 
the appropriate method.

With this, we've been able to plug in the ranger into our hybrid evrp, 
which can then get better ranges.  Our hybrid evrp has moved a lot of 
optimizations that were happening much later into the early vrp stage.

3. Conversion of sprintf/strlen pass to class.

This is a nonfunctional change to the sprintf/strlen passes.  That is, 
no effort was made to change the passes to multi-ranges.  However, with 
this patch, we are able to plug in a ranger or evrp with just a few 
lines, since the range query mechanism share a common API.

---------------------

We think this interface is generic enough to be used in any place that 
queries ranges or singletons, basically any place we have *valueize* in 
the compiler.  It can also be used to replace range generators at will, 
or even combine them to get the best of both worlds.  For example, 
places that currently have a value_* interface because they work with 
constants, like CCP, could have an alternate valueizer plugged in and if 
a range folds to a constant, CCP could then propagate that constant.

Tested on x86-64 Linux.

Aldy

Forgot to include ChangeLog entries.

Aldy

On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
> As part of the ranger work, we have been trying to clean up and 
> generalize interfaces whenever possible.  This not only helps in 
> reducing the maintenance burden going forward, but provides mechanisms 
> for backwards compatibility between ranger and other providers/users of 
> ranges throughout the compiler like evrp and VRP.
> 
> One such interface is the range_query class in vr_values.h, which 
> provides a range query mechanism for use in the simplify_using_ranges 
> module.  With it, simplify_using_ranges can be used with the ranger, or 
> the VRP twins by providing a get_value_range() method.  This has helped 
> us in comparing apples to apples while doing our work, and has also 
> future proofed the interface so that asking for a range can be done 
> within the context in which it appeared.  For example, get_value_range 
> now takes a gimple statement which provides context.  We are no longer 
> tied to asking for a global SSA range, but can ask for the range of an 
> SSA within a statement.  Granted, this functionality is currently only 
> in the ranger, but evrp/vrp could be adapted to pass such context.
> 
> The range_query is a good first step, but what we really want is a 
> generic query mechanism that can ask for SSA ranges within an 
> expression, a statement, an edge, or anything else that may come up.  We 
> think that a generic mechanism can be used not only for range producers, 
> but consumers such as the substitute_and_fold_engine (see get_value 
> virtual) and possibly the gimple folder (see valueize).
> 
> The attached patchset provides such an interface.  It is meant to be a 
> replacement for range_query that can be used for vr_values, 
> substitute_and_fold, the subsitute_and_fold_engine, as well as the 
> ranger.  The general API is:
> 
> class value_query
> {
> public:
>    // Return the singleton expression for NAME at a gimple statement,
>    // or NULL if none found.
>    virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
>    // Return the singleton expression for NAME at an edge, or NULL if
>    // none found.
>    virtual tree value_on_edge (edge, tree name);
>    // Return the singleton expression for the LHS of a gimple
>    // statement, assuming an (optional) initial value of NAME.  Returns
>    // NULL if none found.
>    //
>    // Note this method calculates the range the LHS would have *after*
>    // the statement has executed.
>    virtual tree value_of_stmt (gimple *, tree name = NULL);
> };
> 
> class range_query : public value_query
> {
> public:
>    range_query ();
>    virtual ~range_query ();
> 
>    virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
>    virtual tree value_on_edge (edge, tree name) OVERRIDE;
>    virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;
> 
>    // These are the range equivalents of the value_* methods.  Instead
>    // of returning a singleton, they calculate a range and return it in
>    // R.  TRUE is returned on success or FALSE if no range was found.
>    virtual bool range_of_expr (irange &r, tree name, gimple * = NULL) = 0;
>    virtual bool range_on_edge (irange &r, edge, tree name);
>    virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);
> 
>    // DEPRECATED: This method is used from vr-values.  The plan is to
>    // rewrite all uses of it to the above API.
>    virtual const class value_range_equiv *get_value_range (const_tree,
>                                gimple * = NULL);
> };
> 
> The duality of the API (value_of_* and range_on_*) is because some 
> passes are interested in a singleton value 
> (substitute_and_fold_enginge), while others are interested in ranges 
> (vr_values).  Passes that are only interested in singletons can take a 
> value_query, while passes that are interested in full ranges, can take a 
> range_query.  Of course, for future proofing, we would recommend taking 
> a range_query, since if you provide a default range_of_expr, sensible 
> defaults will be provided for the others in terms of range_of_expr.
> 
> Note, that the absolute bare minimum that must be provided is a 
> value_of_expr and a range_of_expr respectively.
> 
> One piece of the API which is missing is a method  to return the range 
> of an arbitrary SSA_NAME *after* a statement.  Currently range_of_expr 
> calculates the range of an expression upon entry to the statement, 
> whereas range_of_stmt calculates the range of *only* the LHS of a 
> statement AFTER the statement has executed.
> 
> This would allow for complete representation of the ranges/values in 
> something like:
> 
>      d_4 = *g_7;
> 
> Here the range of g_7 upon entry could be VARYING, but after the 
> dereference we know it must be non-zero.  Well for sane targets anyhow.
> 
> Choices would be to:
> 
>    1) add a 4th method such as "range_after_stmt", or
> 
>    2) merge that functionality with the existing range_of_stmt method to 
> provide "after" functionality for any ssa_name.  Currently the SSA_NAME 
> must be the same as the LHS if specified.  It also does not need to be 
> specified to allow evaluation of statements without a LHS, (if (x < 1) 
> has no LHS, but will return [0,0] [1,1] or [0,1] as there is a boolean 
> "result" to the statement.
> 
> Also, we've debated whether to use the two classes (value_query and 
> range_query) separately as above, or perhaps join them into one class. I 
> personally like the separation of powers.  Some users only care for 
> singletons, no sense in polluting their implementations with talk of 
> ranges.  But we're open to suggestions.
> 
> The patchset is divided into 3 parts:
> 
> 1. Generic implementation of class.

Just a few comments on the new APIs in part 1.

Here I would again recommend preventing the copying and assigning
the new range_query class.  Ditto for equiv_allocator unless its
base takes care of that.  For value_query, since it has a pure
virtual function, I would suggest to declare its default ctor
protected (and = default).  That way, if someone tries to define
an object of it, they'll get a nice compilation error as opposed
to a confusing linker error.

The range_query default ctor uses the new epression to allocate
and construct its equiv_allocator object but the range_query dtor
just calls release on the object without invoking the delete
expression on it.  Unless the release() function does that (I'd
hope not but I have seen it) that seems like a leak.

Also, defining virtual functions to take default arguments tends
to be tricky and is generally discouraged.  Usually the default
argument value from the base class is used, unless the overridden
virtual function is called directly (either via Derived::foo()
or via ptr_to_derived->foo()).  To avoid surprises all overridden
virtual functions need to have the same defaults as the base,
which is easy to get wrong without compiler warnings.

One way to get around this is to define a non-virtual public
function with defaults in the base class and have it call
a protected virtual without the defaults.

Finally, unless both a type and function with the same name exist
in the same scope there is no reason to mention the class-id when
referencing a class name.  I.e., this

   value_range_equiv *allocate_value_range_equiv ();
   void free_value_range_equiv (value_range_equiv *);

is the same as this:

   class value_range_equiv *allocate_value_range_equiv ();
   void free_value_range_equiv (class value_range_equiv *);

but the former is shorter and clearer (and in line with existing
practice).

I'm hoping to look at the remaining parts soon (especially part
3) but right now I'm being summoned to dinner.

Martin

> 
> 2. Conversion of vr_values and substitute_and_fold_engine to class.
> 
> The conversion of the substitute_and_fold_engine class involved changing 
> all calls to get_value() to a corresponding method providing context. 
> For example, when the edge or statement is available, we pass these to 
> the appropriate method.
> 
> With this, we've been able to plug in the ranger into our hybrid evrp, 
> which can then get better ranges.  Our hybrid evrp has moved a lot of 
> optimizations that were happening much later into the early vrp stage.
> 
> 3. Conversion of sprintf/strlen pass to class.
> 
> This is a nonfunctional change to the sprintf/strlen passes.  That is, 
> no effort was made to change the passes to multi-ranges.  However, with 
> this patch, we are able to plug in a ranger or evrp with just a few 
> lines, since the range query mechanism share a common API.
> 
> ---------------------
> 
> We think this interface is generic enough to be used in any place that 
> queries ranges or singletons, basically any place we have *valueize* in 
> the compiler.  It can also be used to replace range generators at will, 
> or even combine them to get the best of both worlds.  For example, 
> places that currently have a value_* interface because they work with 
> constants, like CCP, could have an alternate valueizer plugged in and if 
> a range folds to a constant, CCP could then propagate that constant.
> 
> Tested on x86-64 Linux.
> 
> Aldy

On 9/24/20 1:53 AM, Martin Sebor wrote:

> Finally, unless both a type and function with the same name exist
> in the same scope there is no reason to mention the class-id when
> referencing a class name.  I.e., this
> 
>    value_range_equiv *allocate_value_range_equiv ();
>    void free_value_range_equiv (value_range_equiv *);
> 
> is the same as this:
> 
>    class value_range_equiv *allocate_value_range_equiv ();
>    void free_value_range_equiv (class value_range_equiv *);
> 
> but the former is shorter and clearer (and in line with existing
> practice).

value_range_equiv may not be defined in the scope of range-query.h, so 
that is why the class specifier is there.

Aldy

On 9/24/20 12:46 AM, Aldy Hernandez wrote:
> 
> 
> On 9/24/20 1:53 AM, Martin Sebor wrote:
> 
>> Finally, unless both a type and function with the same name exist
>> in the same scope there is no reason to mention the class-id when
>> referencing a class name.  I.e., this
>>
>>    value_range_equiv *allocate_value_range_equiv ();
>>    void free_value_range_equiv (value_range_equiv *);
>>
>> is the same as this:
>>
>>    class value_range_equiv *allocate_value_range_equiv ();
>>    void free_value_range_equiv (class value_range_equiv *);
>>
>> but the former is shorter and clearer (and in line with existing
>> practice).
> 
> value_range_equiv may not be defined in the scope of range-query.h, so 
> that is why the class specifier is there.

I see.  It's probably a reflection of my C++ background that this
style catches my eye.  In C++ I think it's more common to introduce
a forward declaration of a class before using it.

Just as a side note, the first declaration of a type introduces it
into the enclosing namespace so that from that point forward it can
be used without the class-id.  E.g., this is valid:

   struct A
   {
     // Need class here...
     class B *f ();
     // ...but not here...
     void g (B *);
   };

  // ...or even here:
  B* A::f () { return 0; }

Either way, the code is correct as is and I don't object to it,
just noting that (at least some of) the class-ids are redundant.

Martin

On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
> As part of the ranger work, we have been trying to clean up and 
> generalize interfaces whenever possible.  This not only helps in 
> reducing the maintenance burden going forward, but provides mechanisms 
> for backwards compatibility between ranger and other providers/users of 
> ranges throughout the compiler like evrp and VRP.
> 
> One such interface is the range_query class in vr_values.h, which 
> provides a range query mechanism for use in the simplify_using_ranges 
> module.  With it, simplify_using_ranges can be used with the ranger, or 
> the VRP twins by providing a get_value_range() method.  This has helped 
> us in comparing apples to apples while doing our work, and has also 
> future proofed the interface so that asking for a range can be done 
> within the context in which it appeared.  For example, get_value_range 
> now takes a gimple statement which provides context.  We are no longer 
> tied to asking for a global SSA range, but can ask for the range of an 
> SSA within a statement.  Granted, this functionality is currently only 
> in the ranger, but evrp/vrp could be adapted to pass such context.
> 
> The range_query is a good first step, but what we really want is a 
> generic query mechanism that can ask for SSA ranges within an 
> expression, a statement, an edge, or anything else that may come up.  We 
> think that a generic mechanism can be used not only for range producers, 
> but consumers such as the substitute_and_fold_engine (see get_value 
> virtual) and possibly the gimple folder (see valueize).
> 
> The attached patchset provides such an interface.  It is meant to be a 
> replacement for range_query that can be used for vr_values, 
> substitute_and_fold, the subsitute_and_fold_engine, as well as the 
> ranger.  The general API is:
> 
> class value_query
> {
> public:
>    // Return the singleton expression for NAME at a gimple statement,
>    // or NULL if none found.
>    virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
>    // Return the singleton expression for NAME at an edge, or NULL if
>    // none found.
>    virtual tree value_on_edge (edge, tree name);
>    // Return the singleton expression for the LHS of a gimple
>    // statement, assuming an (optional) initial value of NAME.  Returns
>    // NULL if none found.
>    //
>    // Note this method calculates the range the LHS would have *after*
>    // the statement has executed.
>    virtual tree value_of_stmt (gimple *, tree name = NULL);
> };
> 
> class range_query : public value_query
> {
> public:
>    range_query ();
>    virtual ~range_query ();
> 
>    virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
>    virtual tree value_on_edge (edge, tree name) OVERRIDE;
>    virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;
> 
>    // These are the range equivalents of the value_* methods.  Instead
>    // of returning a singleton, they calculate a range and return it in
>    // R.  TRUE is returned on success or FALSE if no range was found.
>    virtual bool range_of_expr (irange &r, tree name, gimple * = NULL) = 0;
>    virtual bool range_on_edge (irange &r, edge, tree name);
>    virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);
> 
>    // DEPRECATED: This method is used from vr-values.  The plan is to
>    // rewrite all uses of it to the above API.
>    virtual const class value_range_equiv *get_value_range (const_tree,
>                                gimple * = NULL);
> };
> 
> The duality of the API (value_of_* and range_on_*) is because some 
> passes are interested in a singleton value 
> (substitute_and_fold_enginge), while others are interested in ranges 
> (vr_values).  Passes that are only interested in singletons can take a 
> value_query, while passes that are interested in full ranges, can take a 
> range_query.  Of course, for future proofing, we would recommend taking 
> a range_query, since if you provide a default range_of_expr, sensible 
> defaults will be provided for the others in terms of range_of_expr.
> 
> Note, that the absolute bare minimum that must be provided is a 
> value_of_expr and a range_of_expr respectively.
> 
> One piece of the API which is missing is a method  to return the range 
> of an arbitrary SSA_NAME *after* a statement.  Currently range_of_expr 
> calculates the range of an expression upon entry to the statement, 
> whereas range_of_stmt calculates the range of *only* the LHS of a 
> statement AFTER the statement has executed.
> 
> This would allow for complete representation of the ranges/values in 
> something like:
> 
>      d_4 = *g_7;
> 
> Here the range of g_7 upon entry could be VARYING, but after the 
> dereference we know it must be non-zero.  Well for sane targets anyhow.
> 
> Choices would be to:
> 
>    1) add a 4th method such as "range_after_stmt", or
> 
>    2) merge that functionality with the existing range_of_stmt method to 
> provide "after" functionality for any ssa_name.  Currently the SSA_NAME 
> must be the same as the LHS if specified.  It also does not need to be 
> specified to allow evaluation of statements without a LHS, (if (x < 1) 
> has no LHS, but will return [0,0] [1,1] or [0,1] as there is a boolean 
> "result" to the statement.
> 
> Also, we've debated whether to use the two classes (value_query and 
> range_query) separately as above, or perhaps join them into one class. I 
> personally like the separation of powers.  Some users only care for 
> singletons, no sense in polluting their implementations with talk of 
> ranges.  But we're open to suggestions.
> 
> The patchset is divided into 3 parts:
> 
> 1. Generic implementation of class.
> 
> 2. Conversion of vr_values and substitute_and_fold_engine to class.
> 
> The conversion of the substitute_and_fold_engine class involved changing 
> all calls to get_value() to a corresponding method providing context. 
> For example, when the edge or statement is available, we pass these to 
> the appropriate method.
> 
> With this, we've been able to plug in the ranger into our hybrid evrp, 
> which can then get better ranges.  Our hybrid evrp has moved a lot of 
> optimizations that were happening much later into the early vrp stage.
> 
> 3. Conversion of sprintf/strlen pass to class.
> 
> This is a nonfunctional change to the sprintf/strlen passes.  That is, 
> no effort was made to change the passes to multi-ranges.  However, with 
> this patch, we are able to plug in a ranger or evrp with just a few 
> lines, since the range query mechanism share a common API.

Thanks for doing all this!  There isn't anything I don't understand
in the sprintf changes so no questions from me (well, almost none).
Just some comments:

The current call statement is available in all functions that take
a directive argument, as dir->info.callstmt.  There should be no need
to also add it as a new argument to the functions that now need it.

The change adds code along these lines in a bunch of places:

+	  value_range vr;
+	  if (!query->range_of_expr (vr, arg, stmt))
+	    vr.set_varying (TREE_TYPE (arg));

I thought under the new Ranger APIs when a range couldn't be
determined it would be automatically set to the maximum for
the type.  I like that and have been moving in that direction
with my code myself (rather than having an API fail, have it
set the max range and succeed).

Since that isn't so in this case, I think it would still be nice
if the added code could be written as if the range were set to
varying in this case and (ideally) reduced to just initialization:

   value_range vr = some-function (query, stmt, arg);

some-function could be an inline helper defined just for the sprintf
pass (and maybe also strlen which also seems to use the same pattern),
or it could be a value_range AKA irange ctor, or it could be a member
of range_query, whatever is the most appropriate.

(If assigning/copying a value_range is thought to be too expensive,
declaring it first and then passing it to that helper to set it
would work too).

In strlen, is the removed comment no longer relevant?  (I.e., does
the ranger solve the problem?)

-      /* The range below may be "inaccurate" if a constant has been
-	 substituted earlier for VAL by this pass that hasn't been
-	 propagated through the CFG.  This shoud be fixed by the new
-	 on-demand VRP if/when it becomes available (hopefully in
-	 GCC 11).  */

I'm wondering about the comment added to get_range_strlen_dynamic
and other places:

+	  // FIXME: Use range_query instead of global ranges.

Is that something you're planning to do in a followup or should
I remember to do it at some point?

Otherwise I have no concern with the changes.

Thanks
Martin

> 
> ---------------------
> 
> We think this interface is generic enough to be used in any place that 
> queries ranges or singletons, basically any place we have *valueize* in 
> the compiler.  It can also be used to replace range generators at will, 
> or even combine them to get the best of both worlds.  For example, 
> places that currently have a value_* interface because they work with 
> constants, like CCP, could have an alternate valueizer plugged in and if 
> a range folds to a constant, CCP could then propagate that constant.
> 
> Tested on x86-64 Linux.
> 
> Aldy

On 9/24/20 5:51 PM, Martin Sebor via Gcc-patches wrote:
> On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
>>
>>
>> 3. Conversion of sprintf/strlen pass to class.
>>
>> This is a nonfunctional change to the sprintf/strlen passes. That is, 
>> no effort was made to change the passes to multi-ranges.  However, 
>> with this patch, we are able to plug in a ranger or evrp with just a 
>> few lines, since the range query mechanism share a common API.
>
> Thanks for doing all this!  There isn't anything I don't understand
> in the sprintf changes so no questions from me (well, almost none).
> Just some comments:
>
> The current call statement is available in all functions that take
> a directive argument, as dir->info.callstmt.  There should be no need
> to also add it as a new argument to the functions that now need it.
>
> The change adds code along these lines in a bunch of places:
>
> +      value_range vr;
> +      if (!query->range_of_expr (vr, arg, stmt))
> +        vr.set_varying (TREE_TYPE (arg));
>
> I thought under the new Ranger APIs when a range couldn't be
> determined it would be automatically set to the maximum for
> the type.  I like that and have been moving in that direction
> with my code myself (rather than having an API fail, have it
> set the max range and succeed).
>
Aldy will have to comment why that is there, probably an oversight The 
API should return VARYING if it cant calculate a better range. The only 
time the API returns a FALSE for a query is when the range is 
unsupported..  ie, you ask for the range of a float statement or argument.

Andrew

On 9/23/20 7:53 PM, Martin Sebor via Gcc-patches wrote:
> On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
>> As part of the ranger work, we have been trying to clean up and 
>> generalize interfaces whenever possible. This not only helps in 
>> reducing the maintenance burden going forward, but provides 
>> mechanisms for backwards compatibility between ranger and other 
>> providers/users of ranges throughout the compiler like evrp and VRP.
>>
>> One such interface is the range_query class in vr_values.h, which 
>> provides a range query mechanism for use in the simplify_using_ranges 
>> module.  With it, simplify_using_ranges can be used with the ranger, 
>> or the VRP twins by providing a get_value_range() method.  This has 
>> helped us in comparing apples to apples while doing our work, and has 
>> also future proofed the interface so that asking for a range can be 
>> done within the context in which it appeared.  For example, 
>> get_value_range now takes a gimple statement which provides context.  
>> We are no longer tied to asking for a global SSA range, but can ask 
>> for the range of an SSA within a statement. Granted, this 
>> functionality is currently only in the ranger, but evrp/vrp could be 
>> adapted to pass such context.
>>
>> The range_query is a good first step, but what we really want is a 
>> generic query mechanism that can ask for SSA ranges within an 
>> expression, a statement, an edge, or anything else that may come up.  
>> We think that a generic mechanism can be used not only for range 
>> producers, but consumers such as the substitute_and_fold_engine (see 
>> get_value virtual) and possibly the gimple folder (see valueize).
>>
>> The attached patchset provides such an interface.  It is meant to be 
>> a replacement for range_query that can be used for vr_values, 
>> substitute_and_fold, the subsitute_and_fold_engine, as well as the 
>> ranger.  The general API is:
>>
>> class value_query
>> {
>> public:
>>    // Return the singleton expression for NAME at a gimple statement,
>>    // or NULL if none found.
>>    virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
>>    // Return the singleton expression for NAME at an edge, or NULL if
>>    // none found.
>>    virtual tree value_on_edge (edge, tree name);
>>    // Return the singleton expression for the LHS of a gimple
>>    // statement, assuming an (optional) initial value of NAME. Returns
>>    // NULL if none found.
>>    //
>>    // Note this method calculates the range the LHS would have *after*
>>    // the statement has executed.
>>    virtual tree value_of_stmt (gimple *, tree name = NULL);
>> };
>>
>> class range_query : public value_query
>> {
>> public:
>>    range_query ();
>>    virtual ~range_query ();
>>
>>    virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
>>    virtual tree value_on_edge (edge, tree name) OVERRIDE;
>>    virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;
>>
>>    // These are the range equivalents of the value_* methods. Instead
>>    // of returning a singleton, they calculate a range and return it in
>>    // R.  TRUE is returned on success or FALSE if no range was found.
>>    virtual bool range_of_expr (irange &r, tree name, gimple * = NULL) 
>> = 0;
>>    virtual bool range_on_edge (irange &r, edge, tree name);
>>    virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);
>>
>>    // DEPRECATED: This method is used from vr-values.  The plan is to
>>    // rewrite all uses of it to the above API.
>>    virtual const class value_range_equiv *get_value_range (const_tree,
>>                                gimple * = NULL);
>> };
>>
>> The duality of the API (value_of_* and range_on_*) is because some 
>> passes are interested in a singleton value 
>> (substitute_and_fold_enginge), while others are interested in ranges 
>> (vr_values).  Passes that are only interested in singletons can take 
>> a value_query, while passes that are interested in full ranges, can 
>> take a range_query.  Of course, for future proofing, we would 
>> recommend taking a range_query, since if you provide a default 
>> range_of_expr, sensible defaults will be provided for the others in 
>> terms of range_of_expr.
>>
>> Note, that the absolute bare minimum that must be provided is a 
>> value_of_expr and a range_of_expr respectively.
>>
>> One piece of the API which is missing is a method  to return the 
>> range of an arbitrary SSA_NAME *after* a statement.  Currently 
>> range_of_expr calculates the range of an expression upon entry to the 
>> statement, whereas range_of_stmt calculates the range of *only* the 
>> LHS of a statement AFTER the statement has executed.
>>
>> This would allow for complete representation of the ranges/values in 
>> something like:
>>
>>      d_4 = *g_7;
>>
>> Here the range of g_7 upon entry could be VARYING, but after the 
>> dereference we know it must be non-zero.  Well for sane targets anyhow.
>>
>> Choices would be to:
>>
>>    1) add a 4th method such as "range_after_stmt", or
>>
>>    2) merge that functionality with the existing range_of_stmt method 
>> to provide "after" functionality for any ssa_name. Currently the 
>> SSA_NAME must be the same as the LHS if specified.  It also does not 
>> need to be specified to allow evaluation of statements without a LHS, 
>> (if (x < 1) has no LHS, but will return [0,0] [1,1] or [0,1] as there 
>> is a boolean "result" to the statement.
>>
>> Also, we've debated whether to use the two classes (value_query and 
>> range_query) separately as above, or perhaps join them into one 
>> class. I personally like the separation of powers.  Some users only 
>> care for singletons, no sense in polluting their implementations with 
>> talk of ranges.  But we're open to suggestions.
>>
>> The patchset is divided into 3 parts:
>>
>> 1. Generic implementation of class.
>
> Just a few comments on the new APIs in part 1.
>
> Here I would again recommend preventing the copying and assigning
> the new range_query class.  Ditto for equiv_allocator unless its
> base takes care of that.  For value_query, since it has a pure
> virtual function, I would suggest to declare its default ctor
> protected (and = default).  That way, if someone tries to define
> an object of it, they'll get a nice compilation error as opposed
> to a confusing linker error.
>
> The range_query default ctor uses the new epression to allocate
> and construct its equiv_allocator object but the range_query dtor
> just calls release on the object without invoking the delete
> expression on it.  Unless the release() function does that (I'd
> hope not but I have seen it) that seems like a leak.
>

looks like an oversight, definitely call delete.

> Also, defining virtual functions to take default arguments tends
> to be tricky and is generally discouraged.  Usually the default
> argument value from the base class is used, unless the overridden
> virtual function is called directly (either via Derived::foo()
> or via ptr_to_derived->foo()).  To avoid surprises all overridden
> virtual functions need to have the same defaults as the base,
> which is easy to get wrong without compiler warnings.
>

> One way to get around this is to define a non-virtual public
> function with defaults in the base class and have it call
> a protected virtual without the defaults.
>
>
I'm not overly concerned about this.. If there is a default, its always 
NULL, and it is simply to bypass having multiple versions of the routine 
which come with varies degreees of confusion of its own.  I experimented 
with multiple approaches, including that one.. I found each thing was a 
little awkward one way or another.

Given a NULL default is going to be pretty consistent, I'd leave it be 
for now.   Its primarily for legacy code, and when we nuke those uses 
down the road, we could consider removing the default, forcing the 
client to explicitly provide the NULL indicating the know they are 
looking for a global value, not a contextual one.


Since you have replied to this thread, whats your opinion whether there 
should be an extra API entry point for range/value_after_stmt or whether 
that should be rolled into  the range_of_stmt routine, and any ssa-name 
specified would be the it's range after the stmt..   perhaps renaming it 
to something like "range_post_stmt" and if no ssa-name is specified, it 
applies to the stmt result.

Andrew

On 9/25/20 3:17 PM, Andrew MacLeod wrote:
> On 9/24/20 5:51 PM, Martin Sebor via Gcc-patches wrote:
>> On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
>>>
>>>
>>> 3. Conversion of sprintf/strlen pass to class.
>>>
>>> This is a nonfunctional change to the sprintf/strlen passes. That is, 
>>> no effort was made to change the passes to multi-ranges.  However, 
>>> with this patch, we are able to plug in a ranger or evrp with just a 
>>> few lines, since the range query mechanism share a common API.
>>
>> Thanks for doing all this!  There isn't anything I don't understand
>> in the sprintf changes so no questions from me (well, almost none).
>> Just some comments:
>>
>> The current call statement is available in all functions that take
>> a directive argument, as dir->info.callstmt.  There should be no need
>> to also add it as a new argument to the functions that now need it.
>>
>> The change adds code along these lines in a bunch of places:
>>
>> +      value_range vr;
>> +      if (!query->range_of_expr (vr, arg, stmt))
>> +        vr.set_varying (TREE_TYPE (arg));
>>
>> I thought under the new Ranger APIs when a range couldn't be
>> determined it would be automatically set to the maximum for
>> the type.  I like that and have been moving in that direction
>> with my code myself (rather than having an API fail, have it
>> set the max range and succeed).
>>
> Aldy will have to comment why that is there, probably an oversight The 
> API should return VARYING if it cant calculate a better range. The only 
> time the API returns a FALSE for a query is when the range is 
> unsupported..  ie, you ask for the range of a float statement or argument.

Right on both counts.

We could ignore the return value, or my preferred method (which I know 
Andrew hates):

gcc_assert (query->range_of_expr(vr, arg, stmt));

Aldy

On 9/25/20 11:41 AM, Andrew MacLeod wrote:
> On 9/23/20 7:53 PM, Martin Sebor via Gcc-patches wrote:
>> On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
>>> As part of the ranger work, we have been trying to clean up and 
>>> generalize interfaces whenever possible. This not only helps in 
>>> reducing the maintenance burden going forward, but provides 
>>> mechanisms for backwards compatibility between ranger and other 
>>> providers/users of ranges throughout the compiler like evrp and VRP.
>>>
>>> One such interface is the range_query class in vr_values.h, which 
>>> provides a range query mechanism for use in the simplify_using_ranges 
>>> module.  With it, simplify_using_ranges can be used with the ranger, 
>>> or the VRP twins by providing a get_value_range() method.  This has 
>>> helped us in comparing apples to apples while doing our work, and has 
>>> also future proofed the interface so that asking for a range can be 
>>> done within the context in which it appeared.  For example, 
>>> get_value_range now takes a gimple statement which provides context. 
>>> We are no longer tied to asking for a global SSA range, but can ask 
>>> for the range of an SSA within a statement. Granted, this 
>>> functionality is currently only in the ranger, but evrp/vrp could be 
>>> adapted to pass such context.
>>>
>>> The range_query is a good first step, but what we really want is a 
>>> generic query mechanism that can ask for SSA ranges within an 
>>> expression, a statement, an edge, or anything else that may come up. 
>>> We think that a generic mechanism can be used not only for range 
>>> producers, but consumers such as the substitute_and_fold_engine (see 
>>> get_value virtual) and possibly the gimple folder (see valueize).
>>>
>>> The attached patchset provides such an interface.  It is meant to be 
>>> a replacement for range_query that can be used for vr_values, 
>>> substitute_and_fold, the subsitute_and_fold_engine, as well as the 
>>> ranger.  The general API is:
>>>
>>> class value_query
>>> {
>>> public:
>>>    // Return the singleton expression for NAME at a gimple statement,
>>>    // or NULL if none found.
>>>    virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
>>>    // Return the singleton expression for NAME at an edge, or NULL if
>>>    // none found.
>>>    virtual tree value_on_edge (edge, tree name);
>>>    // Return the singleton expression for the LHS of a gimple
>>>    // statement, assuming an (optional) initial value of NAME. Returns
>>>    // NULL if none found.
>>>    //
>>>    // Note this method calculates the range the LHS would have *after*
>>>    // the statement has executed.
>>>    virtual tree value_of_stmt (gimple *, tree name = NULL);
>>> };
>>>
>>> class range_query : public value_query
>>> {
>>> public:
>>>    range_query ();
>>>    virtual ~range_query ();
>>>
>>>    virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
>>>    virtual tree value_on_edge (edge, tree name) OVERRIDE;
>>>    virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;
>>>
>>>    // These are the range equivalents of the value_* methods. Instead
>>>    // of returning a singleton, they calculate a range and return it in
>>>    // R.  TRUE is returned on success or FALSE if no range was found.
>>>    virtual bool range_of_expr (irange &r, tree name, gimple * = NULL) 
>>> = 0;
>>>    virtual bool range_on_edge (irange &r, edge, tree name);
>>>    virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);
>>>
>>>    // DEPRECATED: This method is used from vr-values.  The plan is to
>>>    // rewrite all uses of it to the above API.
>>>    virtual const class value_range_equiv *get_value_range (const_tree,
>>>                                gimple * = NULL);
>>> };
>>>
>>> The duality of the API (value_of_* and range_on_*) is because some 
>>> passes are interested in a singleton value 
>>> (substitute_and_fold_enginge), while others are interested in ranges 
>>> (vr_values).  Passes that are only interested in singletons can take 
>>> a value_query, while passes that are interested in full ranges, can 
>>> take a range_query.  Of course, for future proofing, we would 
>>> recommend taking a range_query, since if you provide a default 
>>> range_of_expr, sensible defaults will be provided for the others in 
>>> terms of range_of_expr.
>>>
>>> Note, that the absolute bare minimum that must be provided is a 
>>> value_of_expr and a range_of_expr respectively.
>>>
>>> One piece of the API which is missing is a method  to return the 
>>> range of an arbitrary SSA_NAME *after* a statement.  Currently 
>>> range_of_expr calculates the range of an expression upon entry to the 
>>> statement, whereas range_of_stmt calculates the range of *only* the 
>>> LHS of a statement AFTER the statement has executed.
>>>
>>> This would allow for complete representation of the ranges/values in 
>>> something like:
>>>
>>>      d_4 = *g_7;
>>>
>>> Here the range of g_7 upon entry could be VARYING, but after the 
>>> dereference we know it must be non-zero.  Well for sane targets anyhow.
>>>
>>> Choices would be to:
>>>
>>>    1) add a 4th method such as "range_after_stmt", or
>>>
>>>    2) merge that functionality with the existing range_of_stmt method 
>>> to provide "after" functionality for any ssa_name. Currently the 
>>> SSA_NAME must be the same as the LHS if specified.  It also does not 
>>> need to be specified to allow evaluation of statements without a LHS, 
>>> (if (x < 1) has no LHS, but will return [0,0] [1,1] or [0,1] as there 
>>> is a boolean "result" to the statement.
>>>
>>> Also, we've debated whether to use the two classes (value_query and 
>>> range_query) separately as above, or perhaps join them into one 
>>> class. I personally like the separation of powers.  Some users only 
>>> care for singletons, no sense in polluting their implementations with 
>>> talk of ranges.  But we're open to suggestions.
>>>
>>> The patchset is divided into 3 parts:
>>>
>>> 1. Generic implementation of class.
>>
>> Just a few comments on the new APIs in part 1.
>>
>> Here I would again recommend preventing the copying and assigning
>> the new range_query class.  Ditto for equiv_allocator unless its
>> base takes care of that.  For value_query, since it has a pure
>> virtual function, I would suggest to declare its default ctor
>> protected (and = default).  That way, if someone tries to define
>> an object of it, they'll get a nice compilation error as opposed
>> to a confusing linker error.
>>
>> The range_query default ctor uses the new epression to allocate
>> and construct its equiv_allocator object but the range_query dtor
>> just calls release on the object without invoking the delete
>> expression on it.  Unless the release() function does that (I'd
>> hope not but I have seen it) that seems like a leak.
>>
> 
> looks like an oversight, definitely call delete.
> 
>> Also, defining virtual functions to take default arguments tends
>> to be tricky and is generally discouraged.  Usually the default
>> argument value from the base class is used, unless the overridden
>> virtual function is called directly (either via Derived::foo()
>> or via ptr_to_derived->foo()).  To avoid surprises all overridden
>> virtual functions need to have the same defaults as the base,
>> which is easy to get wrong without compiler warnings.
>>
> 
>> One way to get around this is to define a non-virtual public
>> function with defaults in the base class and have it call
>> a protected virtual without the defaults.
>>
>>
> I'm not overly concerned about this.. If there is a default, its always 
> NULL, and it is simply to bypass having multiple versions of the routine 
> which come with varies degreees of confusion of its own.  I experimented 
> with multiple approaches, including that one.. I found each thing was a 
> little awkward one way or another.
> 
> Given a NULL default is going to be pretty consistent, I'd leave it be 
> for now.   Its primarily for legacy code, and when we nuke those uses 
> down the road, we could consider removing the default, forcing the 
> client to explicitly provide the NULL indicating the know they are 
> looking for a global value, not a contextual one.

I agree that the risk with the null is lower than with other
default values.  I also don't have a sense of how common deriving
from these classes will be so if it's expected to be rare it's
probably not something to be concerned about.

> Since you have replied to this thread, whats your opinion whether there 
> should be an extra API entry point for range/value_after_stmt or whether 
> that should be rolled into  the range_of_stmt routine, and any ssa-name 
> specified would be the it's range after the stmt..   perhaps renaming it 
> to something like "range_post_stmt" and if no ssa-name is specified, it 
> applies to the stmt result.

I prefer API parameterization over distinct names.  It makes APIs
easier for me to reason about, and when implementing them, often
lets me avoid duplicating code between.  A good rule of thumb is
to ask if it might ever make sense to defer the decision to call
one or the other alternative until runtime.  If the answer isn't
an unequivocal "no" then a single entry point with a parameter is
probably a better choice.

By the way, your question about API design makes me think about
something else.  A range is a generalization of a singleton value
(it's a collection of singletons, which is particularly true with
the new multi-range design).  Conversely, a singleton value is
a specialization of a range.  It always makes sense to ask for
the range of an expression, even if it evaluates to a constant.
It only makes sense to ask for its value if it's know to evaluate
to a constant.  So if it's expected to be useful to make
a distinction between the two concepts in the type system I would
think it natural to model the relationship by having value_query
derive from range_query rather than the other way around.

Martin

On 9/28/20 11:27 AM, Martin Sebor wrote:
> On 9/25/20 11:41 AM, Andrew MacLeod wrote:

>
>> Since you have replied to this thread, whats your opinion whether 
>> there should be an extra API entry point for range/value_after_stmt 
>> or whether that should be rolled into  the range_of_stmt routine, and 
>> any ssa-name specified would be the it's range after the stmt..   
>> perhaps renaming it to something like "range_post_stmt" and if no 
>> ssa-name is specified, it applies to the stmt result.
>
> I prefer API parameterization over distinct names.  It makes APIs
> easier for me to reason about, and when implementing them, often
> lets me avoid duplicating code between.  A good rule of thumb is
> to ask if it might ever make sense to defer the decision to call
> one or the other alternative until runtime.  If the answer isn't
> an unequivocal "no" then a single entry point with a parameter is
> probably a better choice.
>
> By the way, your question about API design makes me think about
> something else.  A range is a generalization of a singleton value
> (it's a collection of singletons, which is particularly true with
> the new multi-range design).  Conversely, a singleton value is
> a specialization of a range.  It always makes sense to ask for
> the range of an expression, even if it evaluates to a constant.
> It only makes sense to ask for its value if it's know to evaluate
> to a constant.  So if it's expected to be useful to make
> a distinction between the two concepts in the type system I would
> think it natural to model the relationship by having value_query
> derive from range_query rather than the other way around.
>

We've considered a single class for queries rather than the existing 
derived structure, but it all depends on your point of view.

You can have values without knowing about ranges, but you can't have 
ranges without knowing about values.  Its persepective, so there isnt a 
really a "right" answer. Either can be implemented in terms of the other.

Lots of places in the compiler deal with value callbacks, only a few 
know or care about ranges, and those usually care about both ranges and 
values... thus the current structure.

Regardless, its a starting point and easy to combine as a single class 
later should that be worthwhile.

Andrew

On 9/25/20 1:41 PM, Andrew MacLeod via Gcc-patches wrote:
> On 9/23/20 7:53 PM, Martin Sebor via Gcc-patches wrote:
>> On 9/18/20 12:38 PM, Aldy Hernandez via Gcc-patches wrote:
>>> As part of the ranger work, we have been trying to clean up and 
>>> generalize interfaces whenever possible. This not only helps in 
>>> reducing the maintenance burden going forward, but provides 
>>> mechanisms for backwards compatibility between ranger and other 
>>> providers/users of ranges throughout the compiler like evrp and VRP.
>>>
>>> One such interface is the range_query class in vr_values.h, which 
>>> provides a range query mechanism for use in the 
>>> simplify_using_ranges module.  With it, simplify_using_ranges can be 
>>> used with the ranger, or the VRP twins by providing a 
>>> get_value_range() method.  This has helped us in comparing apples to 
>>> apples while doing our work, and has also future proofed the 
>>> interface so that asking for a range can be done within the context 
>>> in which it appeared.  For example, get_value_range now takes a 
>>> gimple statement which provides context.  We are no longer tied to 
>>> asking for a global SSA range, but can ask for the range of an SSA 
>>> within a statement. Granted, this functionality is currently only in 
>>> the ranger, but evrp/vrp could be adapted to pass such context.
>>>
>>> The range_query is a good first step, but what we really want is a 
>>> generic query mechanism that can ask for SSA ranges within an 
>>> expression, a statement, an edge, or anything else that may come 
>>> up.  We think that a generic mechanism can be used not only for 
>>> range producers, but consumers such as the 
>>> substitute_and_fold_engine (see get_value virtual) and possibly the 
>>> gimple folder (see valueize).
>>>
>>> The attached patchset provides such an interface.  It is meant to be 
>>> a replacement for range_query that can be used for vr_values, 
>>> substitute_and_fold, the subsitute_and_fold_engine, as well as the 
>>> ranger.  The general API is:
>>>
>>> class value_query
>>> {
>>> public:
>>>    // Return the singleton expression for NAME at a gimple statement,
>>>    // or NULL if none found.
>>>    virtual tree value_of_expr (tree name, gimple * = NULL) = 0;
>>>    // Return the singleton expression for NAME at an edge, or NULL if
>>>    // none found.
>>>    virtual tree value_on_edge (edge, tree name);
>>>    // Return the singleton expression for the LHS of a gimple
>>>    // statement, assuming an (optional) initial value of NAME. Returns
>>>    // NULL if none found.
>>>    //
>>>    // Note this method calculates the range the LHS would have *after*
>>>    // the statement has executed.
>>>    virtual tree value_of_stmt (gimple *, tree name = NULL);
>>> };
>>>
>>> class range_query : public value_query
>>> {
>>> public:
>>>    range_query ();
>>>    virtual ~range_query ();
>>>
>>>    virtual tree value_of_expr (tree name, gimple * = NULL) OVERRIDE;
>>>    virtual tree value_on_edge (edge, tree name) OVERRIDE;
>>>    virtual tree value_of_stmt (gimple *, tree name = NULL) OVERRIDE;
>>>
>>>    // These are the range equivalents of the value_* methods. Instead
>>>    // of returning a singleton, they calculate a range and return it in
>>>    // R.  TRUE is returned on success or FALSE if no range was found.
>>>    virtual bool range_of_expr (irange &r, tree name, gimple * = 
>>> NULL) = 0;
>>>    virtual bool range_on_edge (irange &r, edge, tree name);
>>>    virtual bool range_of_stmt (irange &r, gimple *, tree name = NULL);
>>>
>>>    // DEPRECATED: This method is used from vr-values.  The plan is to
>>>    // rewrite all uses of it to the above API.
>>>    virtual const class value_range_equiv *get_value_range (const_tree,
>>>                                gimple * = NULL);
>>> };
>>>
>>> The duality of the API (value_of_* and range_on_*) is because some 
>>> passes are interested in a singleton value 
>>> (substitute_and_fold_enginge), while others are interested in ranges 
>>> (vr_values).  Passes that are only interested in singletons can take 
>>> a value_query, while passes that are interested in full ranges, can 
>>> take a range_query.  Of course, for future proofing, we would 
>>> recommend taking a range_query, since if you provide a default 
>>> range_of_expr, sensible defaults will be provided for the others in 
>>> terms of range_of_expr.
>>>
>>> Note, that the absolute bare minimum that must be provided is a 
>>> value_of_expr and a range_of_expr respectively.
>>>
>>> One piece of the API which is missing is a method  to return the 
>>> range of an arbitrary SSA_NAME *after* a statement. Currently 
>>> range_of_expr calculates the range of an expression upon entry to 
>>> the statement, whereas range_of_stmt calculates the range of *only* 
>>> the LHS of a statement AFTER the statement has executed.
>>>
>>> This would allow for complete representation of the ranges/values in 
>>> something like:
>>>
>>>      d_4 = *g_7;
>>>
>>> Here the range of g_7 upon entry could be VARYING, but after the 
>>> dereference we know it must be non-zero.  Well for sane targets anyhow.
>>>
>>> Choices would be to:
>>>
>>>    1) add a 4th method such as "range_after_stmt", or
>>>
>>>    2) merge that functionality with the existing range_of_stmt 
>>> method to provide "after" functionality for any ssa_name. Currently 
>>> the SSA_NAME must be the same as the LHS if specified.  It also does 
>>> not need to be specified to allow evaluation of statements without a 
>>> LHS, (if (x < 1) has no LHS, but will return [0,0] [1,1] or [0,1] as 
>>> there is a boolean "result" to the statement.
>>>
>>> Also, we've debated whether to use the two classes (value_query and 
>>> range_query) separately as above, or perhaps join them into one 
>>> class. I personally like the separation of powers.  Some users only 
>>> care for singletons, no sense in polluting their implementations 
>>> with talk of ranges.  But we're open to suggestions.
>>>
>>> The patchset is divided into 3 parts:
>>>
>>> 1. Generic implementation of class.
>>
>> Just a few comments on the new APIs in part 1.
>>
>> Here I would again recommend preventing the copying and assigning
>> the new range_query class.  Ditto for equiv_allocator unless its
>> base takes care of that.  For value_query, since it has a pure
>> virtual function, I would suggest to declare its default ctor
>> protected (and = default).  That way, if someone tries to define
>> an object of it, they'll get a nice compilation error as opposed
>> to a confusing linker error.
>>
>> The range_query default ctor uses the new epression to allocate
>> and construct its equiv_allocator object but the range_query dtor
>> just calls release on the object without invoking the delete
>> expression on it.  Unless the release() function does that (I'd
>> hope not but I have seen it) that seems like a leak.
>>
>
> looks like an oversight, definitely call delete.
>
>> Also, defining virtual functions to take default arguments tends
>> to be tricky and is generally discouraged.  Usually the default
>> argument value from the base class is used, unless the overridden
>> virtual function is called directly (either via Derived::foo()
>> or via ptr_to_derived->foo()).  To avoid surprises all overridden
>> virtual functions need to have the same defaults as the base,
>> which is easy to get wrong without compiler warnings.
>>
>
>> One way to get around this is to define a non-virtual public
>> function with defaults in the base class and have it call
>> a protected virtual without the defaults.
>>
>>
> I'm not overly concerned about this.. If there is a default, its 
> always NULL, and it is simply to bypass having multiple versions of 
> the routine which come with varies degreees of confusion of its own.  
> I experimented with multiple approaches, including that one.. I found 
> each thing was a little awkward one way or another.
>
> Given a NULL default is going to be pretty consistent, I'd leave it be 
> for now.   Its primarily for legacy code, and when we nuke those uses 
> down the road, we could consider removing the default, forcing the 
> client to explicitly provide the NULL indicating the know they are 
> looking for a global value, not a contextual one.
>
>
> Since you have replied to this thread, whats your opinion whether 
> there should be an extra API entry point for range/value_after_stmt or 
> whether that should be rolled into  the range_of_stmt routine, and any 
> ssa-name specified would be the it's range after the stmt..   perhaps 
> renaming it to something like "range_post_stmt" and if no ssa-name is 
> specified, it applies to the stmt result.
>
> Andrew
>
>
With the change to add the delete and DISABLE_COPY_AND_ASSIGN this is OK.
Its not in widespread use and easy enough to tweak later.

Andrew

> Thanks for doing all this!  There isn't anything I don't understand
> in the sprintf changes so no questions from me (well, almost none).
> Just some comments:

Thanks for your comments on the sprintf/strlen API conversion.

>
> The current call statement is available in all functions that take
> a directive argument, as dir->info.callstmt.  There should be no need
> to also add it as a new argument to the functions that now need it.

Fixed.

>
> The change adds code along these lines in a bunch of places:
>
> +         value_range vr;
> +         if (!query->range_of_expr (vr, arg, stmt))
> +           vr.set_varying (TREE_TYPE (arg));
>
> I thought under the new Ranger APIs when a range couldn't be
> determined it would be automatically set to the maximum for
> the type.  I like that and have been moving in that direction
> with my code myself (rather than having an API fail, have it
> set the max range and succeed).

I went through all the above idioms and noticed all are being used on
supported types (integers or pointers).  So range_of_expr will always
return true.  I've removed the if() and the set_varying.

>
> Since that isn't so in this case, I think it would still be nice
> if the added code could be written as if the range were set to
> varying in this case and (ideally) reduced to just initialization:
>
>    value_range vr = some-function (query, stmt, arg);
>
> some-function could be an inline helper defined just for the sprintf
> pass (and maybe also strlen which also seems to use the same pattern),
> or it could be a value_range AKA irange ctor, or it could be a member
> of range_query, whatever is the most appropriate.
>
> (If assigning/copying a value_range is thought to be too expensive,
> declaring it first and then passing it to that helper to set it
> would work too).
>
> In strlen, is the removed comment no longer relevant?  (I.e., does
> the ranger solve the problem?)
>
> -      /* The range below may be "inaccurate" if a constant has been
> -        substituted earlier for VAL by this pass that hasn't been
> -        propagated through the CFG.  This shoud be fixed by the new
> -        on-demand VRP if/when it becomes available (hopefully in
> -        GCC 11).  */

It should.

>
> I'm wondering about the comment added to get_range_strlen_dynamic
> and other places:
>
> +         // FIXME: Use range_query instead of global ranges.
>
> Is that something you're planning to do in a followup or should
> I remember to do it at some point?

I'm not planning on doing it.  It's just a reminder that it would be
beneficial to do so.

>
> Otherwise I have no concern with the changes.

It's not cleared whether Andrew approved all 3 parts of the patchset
or just the valuation part.  I'll wait for his nod before committing
this chunk.

Aldy

On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>> Thanks for doing all this!  There isn't anything I don't understand
>> in the sprintf changes so no questions from me (well, almost none).
>> Just some comments:
> Thanks for your comments on the sprintf/strlen API conversion.
>
>> The current call statement is available in all functions that take
>> a directive argument, as dir->info.callstmt.  There should be no need
>> to also add it as a new argument to the functions that now need it.
> Fixed.
>
>> The change adds code along these lines in a bunch of places:
>>
>> +         value_range vr;
>> +         if (!query->range_of_expr (vr, arg, stmt))
>> +           vr.set_varying (TREE_TYPE (arg));
>>
>> I thought under the new Ranger APIs when a range couldn't be
>> determined it would be automatically set to the maximum for
>> the type.  I like that and have been moving in that direction
>> with my code myself (rather than having an API fail, have it
>> set the max range and succeed).
> I went through all the above idioms and noticed all are being used on
> supported types (integers or pointers).  So range_of_expr will always
> return true.  I've removed the if() and the set_varying.
>
>> Since that isn't so in this case, I think it would still be nice
>> if the added code could be written as if the range were set to
>> varying in this case and (ideally) reduced to just initialization:
>>
>>     value_range vr = some-function (query, stmt, arg);
>>
>> some-function could be an inline helper defined just for the sprintf
>> pass (and maybe also strlen which also seems to use the same pattern),
>> or it could be a value_range AKA irange ctor, or it could be a member
>> of range_query, whatever is the most appropriate.
>>
>> (If assigning/copying a value_range is thought to be too expensive,
>> declaring it first and then passing it to that helper to set it
>> would work too).
>>
>> In strlen, is the removed comment no longer relevant?  (I.e., does
>> the ranger solve the problem?)
>>
>> -      /* The range below may be "inaccurate" if a constant has been
>> -        substituted earlier for VAL by this pass that hasn't been
>> -        propagated through the CFG.  This shoud be fixed by the new
>> -        on-demand VRP if/when it becomes available (hopefully in
>> -        GCC 11).  */
> It should.
>
>> I'm wondering about the comment added to get_range_strlen_dynamic
>> and other places:
>>
>> +         // FIXME: Use range_query instead of global ranges.
>>
>> Is that something you're planning to do in a followup or should
>> I remember to do it at some point?
> I'm not planning on doing it.  It's just a reminder that it would be
> beneficial to do so.
>
>> Otherwise I have no concern with the changes.
> It's not cleared whether Andrew approved all 3 parts of the patchset
> or just the valuation part.  I'll wait for his nod before committing
> this chunk.
>
> Aldy
>
I have no issue with it, so OK.

Just an observation that should be pointed out, I believe Aldy has all 
the code for converting to a ranger, but we have not pursued that any 
further yet since there is a regression due to our lack of equivalence 
processing I think?  That should be resolved in the coming month, but at 
the moment is a holdback/concern for converting these passes...  iirc.

Andrew

On 10/1/20 3:22 PM, Andrew MacLeod wrote:
 > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
 >>> Thanks for doing all this!  There isn't anything I don't understand
 >>> in the sprintf changes so no questions from me (well, almost none).
 >>> Just some comments:
 >> Thanks for your comments on the sprintf/strlen API conversion.
 >>
 >>> The current call statement is available in all functions that take
 >>> a directive argument, as dir->info.callstmt.  There should be no need
 >>> to also add it as a new argument to the functions that now need it.
 >> Fixed.
 >>
 >>> The change adds code along these lines in a bunch of places:
 >>>
 >>> +         value_range vr;
 >>> +         if (!query->range_of_expr (vr, arg, stmt))
 >>> +           vr.set_varying (TREE_TYPE (arg));
 >>>
 >>> I thought under the new Ranger APIs when a range couldn't be
 >>> determined it would be automatically set to the maximum for
 >>> the type.  I like that and have been moving in that direction
 >>> with my code myself (rather than having an API fail, have it
 >>> set the max range and succeed).
 >> I went through all the above idioms and noticed all are being used on
 >> supported types (integers or pointers).  So range_of_expr will always
 >> return true.  I've removed the if() and the set_varying.
 >>
 >>> Since that isn't so in this case, I think it would still be nice
 >>> if the added code could be written as if the range were set to
 >>> varying in this case and (ideally) reduced to just initialization:
 >>>
 >>>     value_range vr = some-function (query, stmt, arg);
 >>>
 >>> some-function could be an inline helper defined just for the sprintf
 >>> pass (and maybe also strlen which also seems to use the same pattern),
 >>> or it could be a value_range AKA irange ctor, or it could be a member
 >>> of range_query, whatever is the most appropriate.
 >>>
 >>> (If assigning/copying a value_range is thought to be too expensive,
 >>> declaring it first and then passing it to that helper to set it
 >>> would work too).
 >>>
 >>> In strlen, is the removed comment no longer relevant?  (I.e., does
 >>> the ranger solve the problem?)
 >>>
 >>> -      /* The range below may be "inaccurate" if a constant has been
 >>> -        substituted earlier for VAL by this pass that hasn't been
 >>> -        propagated through the CFG.  This shoud be fixed by the new
 >>> -        on-demand VRP if/when it becomes available (hopefully in
 >>> -        GCC 11).  */
 >> It should.
 >>
 >>> I'm wondering about the comment added to get_range_strlen_dynamic
 >>> and other places:
 >>>
 >>> +         // FIXME: Use range_query instead of global ranges.
 >>>
 >>> Is that something you're planning to do in a followup or should
 >>> I remember to do it at some point?
 >> I'm not planning on doing it.  It's just a reminder that it would be
 >> beneficial to do so.
 >>
 >>> Otherwise I have no concern with the changes.
 >> It's not cleared whether Andrew approved all 3 parts of the patchset
 >> or just the valuation part.  I'll wait for his nod before committing
 >> this chunk.
 >>
 >> Aldy
 >>
 > I have no issue with it, so OK.

Pushed all 3 patches.

 >
 > Just an observation that should be pointed out, I believe Aldy has all
 > the code for converting to a ranger, but we have not pursued that any
 > further yet since there is a regression due to our lack of equivalence
 > processing I think?  That should be resolved in the coming month, but at
 > the moment is a holdback/concern for converting these passes...  iirc.

Yes.  Martin, the take away here is that the strlen/sprintf pass has 
been converted to the new API, but ranger is still not up and running on 
it (even on the branch).

With the new API, all you have to do is remove all instances of 
evrp_range_analyzer and replace them with a ranger.  That's it.
Below is an untested patch that would convert you to a ranger once it's 
contributed.

IIRC when I enabled the ranger for your pass a while back, there was one 
or two regressions due to missing equivalences, and the rest were 
because the tests were expecting an actual specific range, and the 
ranger returned a slightly different/better one.  You'll need to adjust 
your tests.

Aldy

diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c
index f4d1c5ca256..9f9e95b7155 100644
--- a/gcc/tree-ssa-strlen.c
+++ b/gcc/tree-ssa-strlen.c
@@ -58,8 +58,8 @@ along with GCC; see the file COPYING3.  If not see
  #include "tree-ssa-loop.h"
  #include "tree-scalar-evolution.h"
  #include "vr-values.h"
-#include "gimple-ssa-evrp-analyze.h"
  #include "tree-ssa.h"
+#include "gimple-range.h"

  /* A vector indexed by SSA_NAME_VERSION.  0 means unknown, positive value
     is an index into strinfo vector, negative value stands for
@@ -5755,16 +5755,13 @@ class strlen_dom_walker : public dom_walker
  public:
    strlen_dom_walker (cdi_direction direction)
      : dom_walker (direction),
-    evrp (false),
      m_cleanup_cfg (false)
    {}

    virtual edge before_dom_children (basic_block);
    virtual void after_dom_children (basic_block);

-  /* EVRP analyzer used for printf argument range processing, and
-     to track strlen results across integer variable assignments.  */
-  evrp_range_analyzer evrp;
+  gimple_ranger ranger;

    /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
       execute function.  */
@@ -5777,8 +5774,6 @@ public:
  edge
  strlen_dom_walker::before_dom_children (basic_block bb)
  {
-  evrp.enter (bb);
-
    basic_block dombb = get_immediate_dominator (CDI_DOMINATORS, bb);

    if (dombb == NULL)
@@ -5853,13 +5848,7 @@ strlen_dom_walker::before_dom_children 
(basic_block bb)
    /* Attempt to optimize individual statements.  */
    for (gimple_stmt_iterator gsi = gsi_start_bb (bb); !gsi_end_p (gsi); )
      {
-      gimple *stmt = gsi_stmt (gsi);
-
-      /* First record ranges generated by this statement so they
-	 can be used by printf argument processing.  */
-      evrp.record_ranges_from_stmt (stmt, false);
-
-      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &evrp))
+      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &ranger))
  	gsi_next (&gsi);
      }

@@ -5878,8 +5867,6 @@ strlen_dom_walker::before_dom_children 
(basic_block bb)
  void
  strlen_dom_walker::after_dom_children (basic_block bb)
  {
-  evrp.leave (bb);
-
    if (bb->aux)
      {
        stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) bb->aux);

On 10/1/20 9:34 AM, Aldy Hernandez wrote:
> 
> 
> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>  >>> Thanks for doing all this!  There isn't anything I don't understand
>  >>> in the sprintf changes so no questions from me (well, almost none).
>  >>> Just some comments:
>  >> Thanks for your comments on the sprintf/strlen API conversion.
>  >>
>  >>> The current call statement is available in all functions that take
>  >>> a directive argument, as dir->info.callstmt.  There should be no need
>  >>> to also add it as a new argument to the functions that now need it.
>  >> Fixed.
>  >>
>  >>> The change adds code along these lines in a bunch of places:
>  >>>
>  >>> +         value_range vr;
>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>  >>> +           vr.set_varying (TREE_TYPE (arg));
>  >>>
>  >>> I thought under the new Ranger APIs when a range couldn't be
>  >>> determined it would be automatically set to the maximum for
>  >>> the type.  I like that and have been moving in that direction
>  >>> with my code myself (rather than having an API fail, have it
>  >>> set the max range and succeed).
>  >> I went through all the above idioms and noticed all are being used on
>  >> supported types (integers or pointers).  So range_of_expr will always
>  >> return true.  I've removed the if() and the set_varying.
>  >>
>  >>> Since that isn't so in this case, I think it would still be nice
>  >>> if the added code could be written as if the range were set to
>  >>> varying in this case and (ideally) reduced to just initialization:
>  >>>
>  >>>     value_range vr = some-function (query, stmt, arg);
>  >>>
>  >>> some-function could be an inline helper defined just for the sprintf
>  >>> pass (and maybe also strlen which also seems to use the same pattern),
>  >>> or it could be a value_range AKA irange ctor, or it could be a member
>  >>> of range_query, whatever is the most appropriate.
>  >>>
>  >>> (If assigning/copying a value_range is thought to be too expensive,
>  >>> declaring it first and then passing it to that helper to set it
>  >>> would work too).
>  >>>
>  >>> In strlen, is the removed comment no longer relevant?  (I.e., does
>  >>> the ranger solve the problem?)
>  >>>
>  >>> -      /* The range below may be "inaccurate" if a constant has been
>  >>> -        substituted earlier for VAL by this pass that hasn't been
>  >>> -        propagated through the CFG.  This shoud be fixed by the new
>  >>> -        on-demand VRP if/when it becomes available (hopefully in
>  >>> -        GCC 11).  */
>  >> It should.
>  >>
>  >>> I'm wondering about the comment added to get_range_strlen_dynamic
>  >>> and other places:
>  >>>
>  >>> +         // FIXME: Use range_query instead of global ranges.
>  >>>
>  >>> Is that something you're planning to do in a followup or should
>  >>> I remember to do it at some point?
>  >> I'm not planning on doing it.  It's just a reminder that it would be
>  >> beneficial to do so.
>  >>
>  >>> Otherwise I have no concern with the changes.
>  >> It's not cleared whether Andrew approved all 3 parts of the patchset
>  >> or just the valuation part.  I'll wait for his nod before committing
>  >> this chunk.
>  >>
>  >> Aldy
>  >>
>  > I have no issue with it, so OK.
> 
> Pushed all 3 patches.
> 
>  >
>  > Just an observation that should be pointed out, I believe Aldy has all
>  > the code for converting to a ranger, but we have not pursued that any
>  > further yet since there is a regression due to our lack of equivalence
>  > processing I think?  That should be resolved in the coming month, but at
>  > the moment is a holdback/concern for converting these passes...  iirc.
> 
> Yes.  Martin, the take away here is that the strlen/sprintf pass has 
> been converted to the new API, but ranger is still not up and running on 
> it (even on the branch).
> 
> With the new API, all you have to do is remove all instances of 
> evrp_range_analyzer and replace them with a ranger.  That's it.
> Below is an untested patch that would convert you to a ranger once it's 
> contributed.
> 
> IIRC when I enabled the ranger for your pass a while back, there was one 
> or two regressions due to missing equivalences, and the rest were 
> because the tests were expecting an actual specific range, and the 
> ranger returned a slightly different/better one.  You'll need to adjust 
> your tests.

Ack.  I'll be on the lookout for the ranger commit (if you hppen
to remember and CC me on it just in case I might miss it that would
be great).

Thanks
Martin

> 
> Aldy
> 
> diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c
> index f4d1c5ca256..9f9e95b7155 100644
> --- a/gcc/tree-ssa-strlen.c
> +++ b/gcc/tree-ssa-strlen.c
> @@ -58,8 +58,8 @@ along with GCC; see the file COPYING3.  If not see
>   #include "tree-ssa-loop.h"
>   #include "tree-scalar-evolution.h"
>   #include "vr-values.h"
> -#include "gimple-ssa-evrp-analyze.h"
>   #include "tree-ssa.h"
> +#include "gimple-range.h"
> 
>   /* A vector indexed by SSA_NAME_VERSION.  0 means unknown, positive value
>      is an index into strinfo vector, negative value stands for
> @@ -5755,16 +5755,13 @@ class strlen_dom_walker : public dom_walker
>   public:
>     strlen_dom_walker (cdi_direction direction)
>       : dom_walker (direction),
> -    evrp (false),
>       m_cleanup_cfg (false)
>     {}
> 
>     virtual edge before_dom_children (basic_block);
>     virtual void after_dom_children (basic_block);
> 
> -  /* EVRP analyzer used for printf argument range processing, and
> -     to track strlen results across integer variable assignments.  */
> -  evrp_range_analyzer evrp;
> +  gimple_ranger ranger;
> 
>     /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
>        execute function.  */
> @@ -5777,8 +5774,6 @@ public:
>   edge
>   strlen_dom_walker::before_dom_children (basic_block bb)
>   {
> -  evrp.enter (bb);
> -
>     basic_block dombb = get_immediate_dominator (CDI_DOMINATORS, bb);
> 
>     if (dombb == NULL)
> @@ -5853,13 +5848,7 @@ strlen_dom_walker::before_dom_children 
> (basic_block bb)
>     /* Attempt to optimize individual statements.  */
>     for (gimple_stmt_iterator gsi = gsi_start_bb (bb); !gsi_end_p (gsi); )
>       {
> -      gimple *stmt = gsi_stmt (gsi);
> -
> -      /* First record ranges generated by this statement so they
> -     can be used by printf argument processing.  */
> -      evrp.record_ranges_from_stmt (stmt, false);
> -
> -      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &evrp))
> +      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &ranger))
>       gsi_next (&gsi);
>       }
> 
> @@ -5878,8 +5867,6 @@ strlen_dom_walker::before_dom_children 
> (basic_block bb)
>   void
>   strlen_dom_walker::after_dom_children (basic_block bb)
>   {
> -  evrp.leave (bb);
> -
>     if (bb->aux)
>       {
>         stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) 
> bb->aux);
>

On 10/1/20 11:25 AM, Martin Sebor wrote:
> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>
>>
>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>  >>> Thanks for doing all this!  There isn't anything I don't understand
>>  >>> in the sprintf changes so no questions from me (well, almost none).
>>  >>> Just some comments:
>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>  >>
>>  >>> The current call statement is available in all functions that take
>>  >>> a directive argument, as dir->info.callstmt.  There should be no 
>> need
>>  >>> to also add it as a new argument to the functions that now need it.
>>  >> Fixed.
>>  >>
>>  >>> The change adds code along these lines in a bunch of places:
>>  >>>
>>  >>> +         value_range vr;
>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>  >>>
>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>  >>> determined it would be automatically set to the maximum for
>>  >>> the type.  I like that and have been moving in that direction
>>  >>> with my code myself (rather than having an API fail, have it
>>  >>> set the max range and succeed).
>>  >> I went through all the above idioms and noticed all are being used on
>>  >> supported types (integers or pointers).  So range_of_expr will always
>>  >> return true.  I've removed the if() and the set_varying.
>>  >>
>>  >>> Since that isn't so in this case, I think it would still be nice
>>  >>> if the added code could be written as if the range were set to
>>  >>> varying in this case and (ideally) reduced to just initialization:
>>  >>>
>>  >>>     value_range vr = some-function (query, stmt, arg);
>>  >>>
>>  >>> some-function could be an inline helper defined just for the sprintf
>>  >>> pass (and maybe also strlen which also seems to use the same 
>> pattern),
>>  >>> or it could be a value_range AKA irange ctor, or it could be a 
>> member
>>  >>> of range_query, whatever is the most appropriate.
>>  >>>
>>  >>> (If assigning/copying a value_range is thought to be too expensive,
>>  >>> declaring it first and then passing it to that helper to set it
>>  >>> would work too).
>>  >>>
>>  >>> In strlen, is the removed comment no longer relevant?  (I.e., does
>>  >>> the ranger solve the problem?)
>>  >>>
>>  >>> -      /* The range below may be "inaccurate" if a constant has been
>>  >>> -        substituted earlier for VAL by this pass that hasn't been
>>  >>> -        propagated through the CFG.  This shoud be fixed by the new
>>  >>> -        on-demand VRP if/when it becomes available (hopefully in
>>  >>> -        GCC 11).  */
>>  >> It should.
>>  >>
>>  >>> I'm wondering about the comment added to get_range_strlen_dynamic
>>  >>> and other places:
>>  >>>
>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>  >>>
>>  >>> Is that something you're planning to do in a followup or should
>>  >>> I remember to do it at some point?
>>  >> I'm not planning on doing it.  It's just a reminder that it would be
>>  >> beneficial to do so.
>>  >>
>>  >>> Otherwise I have no concern with the changes.
>>  >> It's not cleared whether Andrew approved all 3 parts of the patchset
>>  >> or just the valuation part.  I'll wait for his nod before committing
>>  >> this chunk.
>>  >>
>>  >> Aldy
>>  >>
>>  > I have no issue with it, so OK.
>>
>> Pushed all 3 patches.
>>
>>  >
>>  > Just an observation that should be pointed out, I believe Aldy has all
>>  > the code for converting to a ranger, but we have not pursued that any
>>  > further yet since there is a regression due to our lack of equivalence
>>  > processing I think?  That should be resolved in the coming month, 
>> but at
>>  > the moment is a holdback/concern for converting these passes...  iirc.
>>
>> Yes.  Martin, the take away here is that the strlen/sprintf pass has 
>> been converted to the new API, but ranger is still not up and running 
>> on it (even on the branch).
>>
>> With the new API, all you have to do is remove all instances of 
>> evrp_range_analyzer and replace them with a ranger.  That's it.
>> Below is an untested patch that would convert you to a ranger once 
>> it's contributed.
>>
>> IIRC when I enabled the ranger for your pass a while back, there was 
>> one or two regressions due to missing equivalences, and the rest were 
>> because the tests were expecting an actual specific range, and the 
>> ranger returned a slightly different/better one.  You'll need to 
>> adjust your tests.
> 
> Ack.  I'll be on the lookout for the ranger commit (if you hppen
> to remember and CC me on it just in case I might miss it that would
> be great).

I have applied the patch and ran some tests.  There are quite
a few failures (see the list below).  I have only looked at
a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
boils down to the following test case.  There should be no warning
for either sprintf call.  The one in h() is a false positive and
the reason for at least some of the regressions.  Somehow,
the conversions between int and char are causing Ranger to lose
the range.

$ cat t.c && gcc -O2 -S -Wall t.c
char a[2];

extern int x;

signed char f (int min, int max)
{
   signed char i = x;
   return i < min || max < i ? min : i;
}

void ff (signed char i)
{
   __builtin_sprintf (a, "%i", f (0, 9));   // okay
}

signed char g (signed char min, signed char max)
{
   signed char i = x;
   return i < min || max < i ? min : i;
}

void gg (void)
{
   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
}

t.c: In function ‘gg’:
t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes into a 
region of size 2 [-Wformat-overflow=]
    24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
       |                          ^~
t.c:24:25: note: directive argument in the range [-128, 127]
    24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
       |                         ^~~~
t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes into a 
destination of size 2
    24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
       |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another failure (the one in builtin-sprintf-warn-22.c) is this where
the false positive is due to the strlen pass somehow having lost
the upper bound on the sum of the two string lengths.

$ cat t.c && gcc -O2 -S -Wall t.c
typedef __SIZE_TYPE__ size_t;

char a[1025];

void g (char *s1, char *s2)
{
   size_t n = __builtin_strlen (s1), d = __builtin_strlen (s2);
   if (n + d + 1 >= 1025)
     return;

   __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
"\\\[-Wformat-overflow" }
}

t.c: In function ‘g’:
t.c:11:29: warning: ‘%s’ directive writing up to 1023 bytes into a 
region of size between 1 and 1024 [-Wformat-overflow=]
    11 |   __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
"\\\[-Wformat-overflow" }
       |                             ^~
t.c:11:3: note: ‘__builtin_sprintf’ output between 2 and 2048 bytes into 
a destination of size 1025
    11 |   __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
"\\\[-Wformat-overflow" }
       |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'll see if I can reduce the others into test cases but I'll have
to hold off on enabling the ranger in the sprintf/strlen pass until
these issues are resolved.

Thanks
Martin

FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 28)
FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 29)
FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 32)
FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 38)
FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 39)
XPASS: gcc.dg/pr80776-1.c  (test for bogus messages, line 22)
FAIL: gcc.dg/strlenopt-81.c (test for excess errors)
FAIL: gcc.dg/strlenopt-90.c scan-tree-dump-not strlen1 "strlen \\(\\&a"
FAIL: gcc.dg/strlenopt-80.c scan-tree-dump-times optimized 
"failure_on_line \\(" 0
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "strlen \\(\\&a"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a1\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a2 \\+ 1B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a3 \\+ 2B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a4 \\+ 3B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a5 \\+ 4B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a6 \\+ 5B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a7 \\+ 6B\\] = 0;"
FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a8 \\+ 7B\\] = 0;"
FAIL: gcc.dg/tree-ssa/builtin-sprintf-warn-3.c (test for excess errors)
(many failures)
FAIL: gcc.dg/tree-ssa/builtin-sprintf-warn-22.c  (test for bogus 
messages, line 21)


> 
> Thanks
> Martin
> 
>>
>> Aldy
>>
>> diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c
>> index f4d1c5ca256..9f9e95b7155 100644
>> --- a/gcc/tree-ssa-strlen.c
>> +++ b/gcc/tree-ssa-strlen.c
>> @@ -58,8 +58,8 @@ along with GCC; see the file COPYING3.  If not see
>>   #include "tree-ssa-loop.h"
>>   #include "tree-scalar-evolution.h"
>>   #include "vr-values.h"
>> -#include "gimple-ssa-evrp-analyze.h"
>>   #include "tree-ssa.h"
>> +#include "gimple-range.h"
>>
>>   /* A vector indexed by SSA_NAME_VERSION.  0 means unknown, positive 
>> value
>>      is an index into strinfo vector, negative value stands for
>> @@ -5755,16 +5755,13 @@ class strlen_dom_walker : public dom_walker
>>   public:
>>     strlen_dom_walker (cdi_direction direction)
>>       : dom_walker (direction),
>> -    evrp (false),
>>       m_cleanup_cfg (false)
>>     {}
>>
>>     virtual edge before_dom_children (basic_block);
>>     virtual void after_dom_children (basic_block);
>>
>> -  /* EVRP analyzer used for printf argument range processing, and
>> -     to track strlen results across integer variable assignments.  */
>> -  evrp_range_analyzer evrp;
>> +  gimple_ranger ranger;
>>
>>     /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
>>        execute function.  */
>> @@ -5777,8 +5774,6 @@ public:
>>   edge
>>   strlen_dom_walker::before_dom_children (basic_block bb)
>>   {
>> -  evrp.enter (bb);
>> -
>>     basic_block dombb = get_immediate_dominator (CDI_DOMINATORS, bb);
>>
>>     if (dombb == NULL)
>> @@ -5853,13 +5848,7 @@ strlen_dom_walker::before_dom_children 
>> (basic_block bb)
>>     /* Attempt to optimize individual statements.  */
>>     for (gimple_stmt_iterator gsi = gsi_start_bb (bb); !gsi_end_p 
>> (gsi); )
>>       {
>> -      gimple *stmt = gsi_stmt (gsi);
>> -
>> -      /* First record ranges generated by this statement so they
>> -     can be used by printf argument processing.  */
>> -      evrp.record_ranges_from_stmt (stmt, false);
>> -
>> -      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &evrp))
>> +      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &ranger))
>>       gsi_next (&gsi);
>>       }
>>
>> @@ -5878,8 +5867,6 @@ strlen_dom_walker::before_dom_children 
>> (basic_block bb)
>>   void
>>   strlen_dom_walker::after_dom_children (basic_block bb)
>>   {
>> -  evrp.leave (bb);
>> -
>>     if (bb->aux)
>>       {
>>         stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) 
>> bb->aux);
>>
>

On 11/5/20 12:29 PM, Martin Sebor wrote:
> On 10/1/20 11:25 AM, Martin Sebor wrote:
>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>
>>>
>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>  >>> Thanks for doing all this!  There isn't anything I don't understand
>>>  >>> in the sprintf changes so no questions from me (well, almost none).
>>>  >>> Just some comments:
>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>  >>
>>>  >>> The current call statement is available in all functions that take
>>>  >>> a directive argument, as dir->info.callstmt.  There should be no 
>>> need
>>>  >>> to also add it as a new argument to the functions that now need it.
>>>  >> Fixed.
>>>  >>
>>>  >>> The change adds code along these lines in a bunch of places:
>>>  >>>
>>>  >>> +         value_range vr;
>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>  >>>
>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>  >>> determined it would be automatically set to the maximum for
>>>  >>> the type.  I like that and have been moving in that direction
>>>  >>> with my code myself (rather than having an API fail, have it
>>>  >>> set the max range and succeed).
>>>  >> I went through all the above idioms and noticed all are being 
>>> used on
>>>  >> supported types (integers or pointers).  So range_of_expr will 
>>> always
>>>  >> return true.  I've removed the if() and the set_varying.
>>>  >>
>>>  >>> Since that isn't so in this case, I think it would still be nice
>>>  >>> if the added code could be written as if the range were set to
>>>  >>> varying in this case and (ideally) reduced to just initialization:
>>>  >>>
>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>  >>>
>>>  >>> some-function could be an inline helper defined just for the 
>>> sprintf
>>>  >>> pass (and maybe also strlen which also seems to use the same 
>>> pattern),
>>>  >>> or it could be a value_range AKA irange ctor, or it could be a 
>>> member
>>>  >>> of range_query, whatever is the most appropriate.
>>>  >>>
>>>  >>> (If assigning/copying a value_range is thought to be too expensive,
>>>  >>> declaring it first and then passing it to that helper to set it
>>>  >>> would work too).
>>>  >>>
>>>  >>> In strlen, is the removed comment no longer relevant?  (I.e., does
>>>  >>> the ranger solve the problem?)
>>>  >>>
>>>  >>> -      /* The range below may be "inaccurate" if a constant has 
>>> been
>>>  >>> -        substituted earlier for VAL by this pass that hasn't been
>>>  >>> -        propagated through the CFG.  This shoud be fixed by the 
>>> new
>>>  >>> -        on-demand VRP if/when it becomes available (hopefully in
>>>  >>> -        GCC 11).  */
>>>  >> It should.
>>>  >>
>>>  >>> I'm wondering about the comment added to get_range_strlen_dynamic
>>>  >>> and other places:
>>>  >>>
>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>  >>>
>>>  >>> Is that something you're planning to do in a followup or should
>>>  >>> I remember to do it at some point?
>>>  >> I'm not planning on doing it.  It's just a reminder that it would be
>>>  >> beneficial to do so.
>>>  >>
>>>  >>> Otherwise I have no concern with the changes.
>>>  >> It's not cleared whether Andrew approved all 3 parts of the patchset
>>>  >> or just the valuation part.  I'll wait for his nod before committing
>>>  >> this chunk.
>>>  >>
>>>  >> Aldy
>>>  >>
>>>  > I have no issue with it, so OK.
>>>
>>> Pushed all 3 patches.
>>>
>>>  >
>>>  > Just an observation that should be pointed out, I believe Aldy has 
>>> all
>>>  > the code for converting to a ranger, but we have not pursued that any
>>>  > further yet since there is a regression due to our lack of 
>>> equivalence
>>>  > processing I think?  That should be resolved in the coming month, 
>>> but at
>>>  > the moment is a holdback/concern for converting these passes...  
>>> iirc.
>>>
>>> Yes.  Martin, the take away here is that the strlen/sprintf pass has 
>>> been converted to the new API, but ranger is still not up and running 
>>> on it (even on the branch).
>>>
>>> With the new API, all you have to do is remove all instances of 
>>> evrp_range_analyzer and replace them with a ranger.  That's it.
>>> Below is an untested patch that would convert you to a ranger once 
>>> it's contributed.
>>>
>>> IIRC when I enabled the ranger for your pass a while back, there was 
>>> one or two regressions due to missing equivalences, and the rest were 
>>> because the tests were expecting an actual specific range, and the 
>>> ranger returned a slightly different/better one.  You'll need to 
>>> adjust your tests.
>>
>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>> to remember and CC me on it just in case I might miss it that would
>> be great).
> 
> I have applied the patch and ran some tests.  There are quite
> a few failures (see the list below).  I have only looked at
> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
> boils down to the following test case.  There should be no warning
> for either sprintf call.  The one in h() is a false positive and
> the reason for at least some of the regressions.  Somehow,
> the conversions between int and char are causing Ranger to lose
> the range.
> 
> $ cat t.c && gcc -O2 -S -Wall t.c
> char a[2];
> 
> extern int x;
> 
> signed char f (int min, int max)
> {
>    signed char i = x;
>    return i < min || max < i ? min : i;
> }
> 
> void ff (signed char i)
> {
>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
> }
> 
> signed char g (signed char min, signed char max)
> {
>    signed char i = x;
>    return i < min || max < i ? min : i;
> }
> 
> void gg (void)
> {
>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
> }
> 
> t.c: In function ‘gg’:
> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes into a 
> region of size 2 [-Wformat-overflow=]
>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>        |                          ^~
> t.c:24:25: note: directive argument in the range [-128, 127]
>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>        |                         ^~~~
> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes into a 
> destination of size 2
>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> Another failure (the one in builtin-sprintf-warn-22.c) is this where
> the false positive is due to the strlen pass somehow having lost
> the upper bound on the sum of the two string lengths.

I'm guessing this might have something to do with the strlen pass
calling set_range_info() on the nonconstant results of strlen calls
it can determine the range for.  How would I go about doing it with
ranger?  I see ranger_cache::set_global_range() and the class ctor
takes a gimple_ranger as argument.  Would calling the function be
the right way to do it?  (I couldn't find anything on the Wiki.)

> 
> $ cat t.c && gcc -O2 -S -Wall t.c
> typedef __SIZE_TYPE__ size_t;
> 
> char a[1025];
> 
> void g (char *s1, char *s2)
> {
>    size_t n = __builtin_strlen (s1), d = __builtin_strlen (s2);
>    if (n + d + 1 >= 1025)
>      return;
> 
>    __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
> "\\\[-Wformat-overflow" }
> }
> 
> t.c: In function ‘g’:
> t.c:11:29: warning: ‘%s’ directive writing up to 1023 bytes into a 
> region of size between 1 and 1024 [-Wformat-overflow=]
>     11 |   __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
> "\\\[-Wformat-overflow" }
>        |                             ^~
> t.c:11:3: note: ‘__builtin_sprintf’ output between 2 and 2048 bytes into 
> a destination of size 1025
>     11 |   __builtin_sprintf (a, "%s.%s", s1, s2);     // { dg-bogus 
> "\\\[-Wformat-overflow" }
>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> I'll see if I can reduce the others into test cases but I'll have
> to hold off on enabling the ranger in the sprintf/strlen pass until
> these issues are resolved.
> 
> Thanks
> Martin
> 
> FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 28)
> FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 29)
> FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 32)
> FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 38)
> FAIL: gcc.dg/Wstringop-overflow-20.c  (test for warnings, line 39)
> XPASS: gcc.dg/pr80776-1.c  (test for bogus messages, line 22)
> FAIL: gcc.dg/strlenopt-81.c (test for excess errors)
> FAIL: gcc.dg/strlenopt-90.c scan-tree-dump-not strlen1 "strlen \\(\\&a"
> FAIL: gcc.dg/strlenopt-80.c scan-tree-dump-times optimized 
> "failure_on_line \\(" 0
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "strlen \\(\\&a"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a1\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a2 \\+ 1B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a3 \\+ 2B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a4 \\+ 3B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a5 \\+ 4B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a6 \\+ 5B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a7 \\+ 6B\\] = 0;"
> FAIL: gcc.dg/strlenopt-89.c scan-tree-dump-not strlen1 "a8 \\+ 7B\\] = 0;"
> FAIL: gcc.dg/tree-ssa/builtin-sprintf-warn-3.c (test for excess errors)
> (many failures)
> FAIL: gcc.dg/tree-ssa/builtin-sprintf-warn-22.c  (test for bogus 
> messages, line 21)
> 
> 
>>
>> Thanks
>> Martin
>>
>>>
>>> Aldy
>>>
>>> diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c
>>> index f4d1c5ca256..9f9e95b7155 100644
>>> --- a/gcc/tree-ssa-strlen.c
>>> +++ b/gcc/tree-ssa-strlen.c
>>> @@ -58,8 +58,8 @@ along with GCC; see the file COPYING3.  If not see
>>>   #include "tree-ssa-loop.h"
>>>   #include "tree-scalar-evolution.h"
>>>   #include "vr-values.h"
>>> -#include "gimple-ssa-evrp-analyze.h"
>>>   #include "tree-ssa.h"
>>> +#include "gimple-range.h"
>>>
>>>   /* A vector indexed by SSA_NAME_VERSION.  0 means unknown, positive 
>>> value
>>>      is an index into strinfo vector, negative value stands for
>>> @@ -5755,16 +5755,13 @@ class strlen_dom_walker : public dom_walker
>>>   public:
>>>     strlen_dom_walker (cdi_direction direction)
>>>       : dom_walker (direction),
>>> -    evrp (false),
>>>       m_cleanup_cfg (false)
>>>     {}
>>>
>>>     virtual edge before_dom_children (basic_block);
>>>     virtual void after_dom_children (basic_block);
>>>
>>> -  /* EVRP analyzer used for printf argument range processing, and
>>> -     to track strlen results across integer variable assignments.  */
>>> -  evrp_range_analyzer evrp;
>>> +  gimple_ranger ranger;
>>>
>>>     /* Flag that will trigger TODO_cleanup_cfg to be returned in strlen
>>>        execute function.  */
>>> @@ -5777,8 +5774,6 @@ public:
>>>   edge
>>>   strlen_dom_walker::before_dom_children (basic_block bb)
>>>   {
>>> -  evrp.enter (bb);
>>> -
>>>     basic_block dombb = get_immediate_dominator (CDI_DOMINATORS, bb);
>>>
>>>     if (dombb == NULL)
>>> @@ -5853,13 +5848,7 @@ strlen_dom_walker::before_dom_children 
>>> (basic_block bb)
>>>     /* Attempt to optimize individual statements.  */
>>>     for (gimple_stmt_iterator gsi = gsi_start_bb (bb); !gsi_end_p 
>>> (gsi); )
>>>       {
>>> -      gimple *stmt = gsi_stmt (gsi);
>>> -
>>> -      /* First record ranges generated by this statement so they
>>> -     can be used by printf argument processing.  */
>>> -      evrp.record_ranges_from_stmt (stmt, false);
>>> -
>>> -      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &evrp))
>>> +      if (check_and_optimize_stmt (&gsi, &cleanup_eh, &ranger))
>>>       gsi_next (&gsi);
>>>       }
>>>
>>> @@ -5878,8 +5867,6 @@ strlen_dom_walker::before_dom_children 
>>> (basic_block bb)
>>>   void
>>>   strlen_dom_walker::after_dom_children (basic_block bb)
>>>   {
>>> -  evrp.leave (bb);
>>> -
>>>     if (bb->aux)
>>>       {
>>>         stridx_to_strinfo = ((vec<strinfo *, va_heap, vl_embed> *) 
>>> bb->aux);
>>>
>>
>

On 11/5/20 4:02 PM, Martin Sebor wrote:
> On 11/5/20 12:29 PM, Martin Sebor wrote:
>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>
>>>>
>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>> understand
>>>>  >>> in the sprintf changes so no questions from me (well, almost 
>>>> none).
>>>>  >>> Just some comments:
>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>  >>
>>>>  >>> The current call statement is available in all functions that 
>>>> take
>>>>  >>> a directive argument, as dir->info.callstmt.  There should be 
>>>> no need
>>>>  >>> to also add it as a new argument to the functions that now 
>>>> need it.
>>>>  >> Fixed.
>>>>  >>
>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>  >>>
>>>>  >>> +         value_range vr;
>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>  >>>
>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>  >>> determined it would be automatically set to the maximum for
>>>>  >>> the type.  I like that and have been moving in that direction
>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>  >>> set the max range and succeed).
>>>>  >> I went through all the above idioms and noticed all are being 
>>>> used on
>>>>  >> supported types (integers or pointers).  So range_of_expr will 
>>>> always
>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>  >>
>>>>  >>> Since that isn't so in this case, I think it would still be nice
>>>>  >>> if the added code could be written as if the range were set to
>>>>  >>> varying in this case and (ideally) reduced to just 
>>>> initialization:
>>>>  >>>
>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>  >>>
>>>>  >>> some-function could be an inline helper defined just for the 
>>>> sprintf
>>>>  >>> pass (and maybe also strlen which also seems to use the same 
>>>> pattern),
>>>>  >>> or it could be a value_range AKA irange ctor, or it could be a 
>>>> member
>>>>  >>> of range_query, whatever is the most appropriate.
>>>>  >>>
>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>> expensive,
>>>>  >>> declaring it first and then passing it to that helper to set it
>>>>  >>> would work too).
>>>>  >>>
>>>>  >>> In strlen, is the removed comment no longer relevant?  (I.e., 
>>>> does
>>>>  >>> the ranger solve the problem?)
>>>>  >>>
>>>>  >>> -      /* The range below may be "inaccurate" if a constant 
>>>> has been
>>>>  >>> -        substituted earlier for VAL by this pass that hasn't 
>>>> been
>>>>  >>> -        propagated through the CFG.  This shoud be fixed by 
>>>> the new
>>>>  >>> -        on-demand VRP if/when it becomes available (hopefully in
>>>>  >>> -        GCC 11).  */
>>>>  >> It should.
>>>>  >>
>>>>  >>> I'm wondering about the comment added to get_range_strlen_dynamic
>>>>  >>> and other places:
>>>>  >>>
>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>  >>>
>>>>  >>> Is that something you're planning to do in a followup or should
>>>>  >>> I remember to do it at some point?
>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>> would be
>>>>  >> beneficial to do so.
>>>>  >>
>>>>  >>> Otherwise I have no concern with the changes.
>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>> patchset
>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>> committing
>>>>  >> this chunk.
>>>>  >>
>>>>  >> Aldy
>>>>  >>
>>>>  > I have no issue with it, so OK.
>>>>
>>>> Pushed all 3 patches.
>>>>
>>>>  >
>>>>  > Just an observation that should be pointed out, I believe Aldy 
>>>> has all
>>>>  > the code for converting to a ranger, but we have not pursued 
>>>> that any
>>>>  > further yet since there is a regression due to our lack of 
>>>> equivalence
>>>>  > processing I think?  That should be resolved in the coming 
>>>> month, but at
>>>>  > the moment is a holdback/concern for converting these passes...  
>>>> iirc.
>>>>
>>>> Yes.  Martin, the take away here is that the strlen/sprintf pass 
>>>> has been converted to the new API, but ranger is still not up and 
>>>> running on it (even on the branch).
>>>>
>>>> With the new API, all you have to do is remove all instances of 
>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>> Below is an untested patch that would convert you to a ranger once 
>>>> it's contributed.
>>>>
>>>> IIRC when I enabled the ranger for your pass a while back, there 
>>>> was one or two regressions due to missing equivalences, and the 
>>>> rest were because the tests were expecting an actual specific 
>>>> range, and the ranger returned a slightly different/better one.  
>>>> You'll need to adjust your tests.
>>>
>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>> to remember and CC me on it just in case I might miss it that would
>>> be great).
>>
>> I have applied the patch and ran some tests.  There are quite
>> a few failures (see the list below).  I have only looked at
>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>> boils down to the following test case.  There should be no warning
>> for either sprintf call.  The one in h() is a false positive and
>> the reason for at least some of the regressions.  Somehow,
>> the conversions between int and char are causing Ranger to lose
>> the range.
>>
>> $ cat t.c && gcc -O2 -S -Wall t.c
>> char a[2];
>>
>> extern int x;
>>
>> signed char f (int min, int max)
>> {
>>    signed char i = x;
>>    return i < min || max < i ? min : i;
>> }
>>
>> void ff (signed char i)
>> {
>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>> }
>>
>> signed char g (signed char min, signed char max)
>> {
>>    signed char i = x;
>>    return i < min || max < i ? min : i;
>> }
>>
>> void gg (void)
>> {
>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>> }
>>
>> t.c: In function ‘gg’:
>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes into 
>> a region of size 2 [-Wformat-overflow=]
>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>        |                          ^~
>> t.c:24:25: note: directive argument in the range [-128, 127]
>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>        |                         ^~~~
>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes into 
>> a destination of size 2
>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>> the false positive is due to the strlen pass somehow having lost
>> the upper bound on the sum of the two string lengths.
>
> I'm guessing this might have something to do with the strlen pass
> calling set_range_info() on the nonconstant results of strlen calls
> it can determine the range for.  How would I go about doing it with
> ranger?  I see ranger_cache::set_global_range() and the class ctor
> takes a gimple_ranger as argument.  Would calling the function be
> the right way to do it?  (I couldn't find anything on the Wiki.)

I haven't had time to write a new modern wiki yet... probably won't 
until well after stage 1 closes either.

And no, thats the internal cache of the ranger, which you dont  have 
access to.

At the moment, there isnt a way to inject a "new" global range out of 
the blue.  It hasnt been a  requirement before, but wouldn't be 
particularly difficult.

Short answer, there is no current equivalent of set_range_info() because 
we dont have a persistent global cache in the same way, and the ranger 
doesnt set  the RANGE_INFO field at this point.. we havent gotten to the 
point of reworking that yet.

So the question is, what exactly are you trying to do? I presume you are 
analyzing  a strlen statement, and are making range conclusions about 
either the result or some of the operands are that are not otherwise 
exposed in the code?

And you are looking to have those values injected into the rangers 
calculations as refinements?

Andrew

On 11/5/20 2:29 PM, Martin Sebor wrote:
>
>
> signed char g (signed char min, signed char max)
> {
>   signed char i = x;
>   return i < min || max < i ? min : i;
> }
>
> void gg (void)
> {
>   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
> }
Im looking at this. its actually completely different code thats 
generated for this signed char case.  And something is being missed that 
shouldnt be.     I'll get back to you.

Andrew

On 11/5/20 5:02 PM, Andrew MacLeod wrote:
> On 11/5/20 4:02 PM, Martin Sebor wrote:
>> On 11/5/20 12:29 PM, Martin Sebor wrote:
>>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>>
>>>>>
>>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>>> understand
>>>>>  >>> in the sprintf changes so no questions from me (well, almost 
>>>>> none).
>>>>>  >>> Just some comments:
>>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>>  >>
>>>>>  >>> The current call statement is available in all functions that 
>>>>> take
>>>>>  >>> a directive argument, as dir->info.callstmt.  There should be 
>>>>> no need
>>>>>  >>> to also add it as a new argument to the functions that now 
>>>>> need it.
>>>>>  >> Fixed.
>>>>>  >>
>>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>>  >>>
>>>>>  >>> +         value_range vr;
>>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>>  >>>
>>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>>  >>> determined it would be automatically set to the maximum for
>>>>>  >>> the type.  I like that and have been moving in that direction
>>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>>  >>> set the max range and succeed).
>>>>>  >> I went through all the above idioms and noticed all are being 
>>>>> used on
>>>>>  >> supported types (integers or pointers).  So range_of_expr will 
>>>>> always
>>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>>  >>
>>>>>  >>> Since that isn't so in this case, I think it would still be nice
>>>>>  >>> if the added code could be written as if the range were set to
>>>>>  >>> varying in this case and (ideally) reduced to just 
>>>>> initialization:
>>>>>  >>>
>>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>>  >>>
>>>>>  >>> some-function could be an inline helper defined just for the 
>>>>> sprintf
>>>>>  >>> pass (and maybe also strlen which also seems to use the same 
>>>>> pattern),
>>>>>  >>> or it could be a value_range AKA irange ctor, or it could be a 
>>>>> member
>>>>>  >>> of range_query, whatever is the most appropriate.
>>>>>  >>>
>>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>>> expensive,
>>>>>  >>> declaring it first and then passing it to that helper to set it
>>>>>  >>> would work too).
>>>>>  >>>
>>>>>  >>> In strlen, is the removed comment no longer relevant?  (I.e., 
>>>>> does
>>>>>  >>> the ranger solve the problem?)
>>>>>  >>>
>>>>>  >>> -      /* The range below may be "inaccurate" if a constant 
>>>>> has been
>>>>>  >>> -        substituted earlier for VAL by this pass that hasn't 
>>>>> been
>>>>>  >>> -        propagated through the CFG.  This shoud be fixed by 
>>>>> the new
>>>>>  >>> -        on-demand VRP if/when it becomes available (hopefully in
>>>>>  >>> -        GCC 11).  */
>>>>>  >> It should.
>>>>>  >>
>>>>>  >>> I'm wondering about the comment added to get_range_strlen_dynamic
>>>>>  >>> and other places:
>>>>>  >>>
>>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>>  >>>
>>>>>  >>> Is that something you're planning to do in a followup or should
>>>>>  >>> I remember to do it at some point?
>>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>>> would be
>>>>>  >> beneficial to do so.
>>>>>  >>
>>>>>  >>> Otherwise I have no concern with the changes.
>>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>>> patchset
>>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>>> committing
>>>>>  >> this chunk.
>>>>>  >>
>>>>>  >> Aldy
>>>>>  >>
>>>>>  > I have no issue with it, so OK.
>>>>>
>>>>> Pushed all 3 patches.
>>>>>
>>>>>  >
>>>>>  > Just an observation that should be pointed out, I believe Aldy 
>>>>> has all
>>>>>  > the code for converting to a ranger, but we have not pursued 
>>>>> that any
>>>>>  > further yet since there is a regression due to our lack of 
>>>>> equivalence
>>>>>  > processing I think?  That should be resolved in the coming 
>>>>> month, but at
>>>>>  > the moment is a holdback/concern for converting these passes... 
>>>>> iirc.
>>>>>
>>>>> Yes.  Martin, the take away here is that the strlen/sprintf pass 
>>>>> has been converted to the new API, but ranger is still not up and 
>>>>> running on it (even on the branch).
>>>>>
>>>>> With the new API, all you have to do is remove all instances of 
>>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>>> Below is an untested patch that would convert you to a ranger once 
>>>>> it's contributed.
>>>>>
>>>>> IIRC when I enabled the ranger for your pass a while back, there 
>>>>> was one or two regressions due to missing equivalences, and the 
>>>>> rest were because the tests were expecting an actual specific 
>>>>> range, and the ranger returned a slightly different/better one. 
>>>>> You'll need to adjust your tests.
>>>>
>>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>>> to remember and CC me on it just in case I might miss it that would
>>>> be great).
>>>
>>> I have applied the patch and ran some tests.  There are quite
>>> a few failures (see the list below).  I have only looked at
>>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>>> boils down to the following test case.  There should be no warning
>>> for either sprintf call.  The one in h() is a false positive and
>>> the reason for at least some of the regressions.  Somehow,
>>> the conversions between int and char are causing Ranger to lose
>>> the range.
>>>
>>> $ cat t.c && gcc -O2 -S -Wall t.c
>>> char a[2];
>>>
>>> extern int x;
>>>
>>> signed char f (int min, int max)
>>> {
>>>    signed char i = x;
>>>    return i < min || max < i ? min : i;
>>> }
>>>
>>> void ff (signed char i)
>>> {
>>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>>> }
>>>
>>> signed char g (signed char min, signed char max)
>>> {
>>>    signed char i = x;
>>>    return i < min || max < i ? min : i;
>>> }
>>>
>>> void gg (void)
>>> {
>>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>> }
>>>
>>> t.c: In function ‘gg’:
>>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes into 
>>> a region of size 2 [-Wformat-overflow=]
>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>        |                          ^~
>>> t.c:24:25: note: directive argument in the range [-128, 127]
>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>        |                         ^~~~
>>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes into 
>>> a destination of size 2
>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>>
>>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>>> the false positive is due to the strlen pass somehow having lost
>>> the upper bound on the sum of the two string lengths.
>>
>> I'm guessing this might have something to do with the strlen pass
>> calling set_range_info() on the nonconstant results of strlen calls
>> it can determine the range for.  How would I go about doing it with
>> ranger?  I see ranger_cache::set_global_range() and the class ctor
>> takes a gimple_ranger as argument.  Would calling the function be
>> the right way to do it?  (I couldn't find anything on the Wiki.)
> 
> I haven't had time to write a new modern wiki yet... probably won't 
> until well after stage 1 closes either.
> 
> And no, thats the internal cache of the ranger, which you dont  have 
> access to.
> 
> At the moment, there isnt a way to inject a "new" global range out of 
> the blue.  It hasnt been a  requirement before, but wouldn't be 
> particularly difficult.
> 
> Short answer, there is no current equivalent of set_range_info() because 
> we dont have a persistent global cache in the same way, and the ranger 
> doesnt set  the RANGE_INFO field at this point.. we havent gotten to the 
> point of reworking that yet.
> 
> So the question is, what exactly are you trying to do? I presume you are 
> analyzing  a strlen statement, and are making range conclusions about 
> either the result or some of the operands are that are not otherwise 
> exposed in the code?
> 
> And you are looking to have those values injected into the rangers 
> calculations as refinements?

Yes, exactly.  This is used both for optimization and for warnings
(both to enable them and to suppress false positives).

Besides folding strlen and sprintf calls into constants, the strlen
pass sets the range of the results of the calls when the lengths of
the arguments/output are known to be at least some number of bytes.

Besides exposing optimization opportunities downstream, the pass
uses this information to either issue or suppress warnings like in
the sprintf case above.  -Wformat-overflow issues warnings either
based on string lengths (or ranges) if they're known, or based on
the sizes of the arrays the strings are stored in when nothing is
known about the lengths.  The array size is used as the worst case
estimate, which can cause false positives.

Here's an example of a downstream optimization made possible by
this.  Because i's range is known, the range of the snprintf result
is also known (the range is computed for all snprintf arguments).
The strlen pass sets the range and subsequent passes eliminate
the unreachable code.

   void f (int i)
   {
     if (i < 100 || 9999 < i)
       i = 100;

     int n = __builtin_snprintf (0, 0, "%i", i);
     if (n < 3 || 4 < n)
       __builtin_abort ();
   }

Martin

On 11/5/20 7:50 PM, Martin Sebor wrote:
> On 11/5/20 5:02 PM, Andrew MacLeod wrote:
>> On 11/5/20 4:02 PM, Martin Sebor wrote:
>>> On 11/5/20 12:29 PM, Martin Sebor wrote:
>>>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>>>
>>>>>>
>>>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>>>> understand
>>>>>>  >>> in the sprintf changes so no questions from me (well, almost 
>>>>>> none).
>>>>>>  >>> Just some comments:
>>>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>>>  >>
>>>>>>  >>> The current call statement is available in all functions 
>>>>>> that take
>>>>>>  >>> a directive argument, as dir->info.callstmt.  There should 
>>>>>> be no need
>>>>>>  >>> to also add it as a new argument to the functions that now 
>>>>>> need it.
>>>>>>  >> Fixed.
>>>>>>  >>
>>>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>>>  >>>
>>>>>>  >>> +         value_range vr;
>>>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>>>  >>>
>>>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>>>  >>> determined it would be automatically set to the maximum for
>>>>>>  >>> the type.  I like that and have been moving in that direction
>>>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>>>  >>> set the max range and succeed).
>>>>>>  >> I went through all the above idioms and noticed all are being 
>>>>>> used on
>>>>>>  >> supported types (integers or pointers).  So range_of_expr 
>>>>>> will always
>>>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>>>  >>
>>>>>>  >>> Since that isn't so in this case, I think it would still be 
>>>>>> nice
>>>>>>  >>> if the added code could be written as if the range were set to
>>>>>>  >>> varying in this case and (ideally) reduced to just 
>>>>>> initialization:
>>>>>>  >>>
>>>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>>>  >>>
>>>>>>  >>> some-function could be an inline helper defined just for the 
>>>>>> sprintf
>>>>>>  >>> pass (and maybe also strlen which also seems to use the same 
>>>>>> pattern),
>>>>>>  >>> or it could be a value_range AKA irange ctor, or it could be 
>>>>>> a member
>>>>>>  >>> of range_query, whatever is the most appropriate.
>>>>>>  >>>
>>>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>>>> expensive,
>>>>>>  >>> declaring it first and then passing it to that helper to set it
>>>>>>  >>> would work too).
>>>>>>  >>>
>>>>>>  >>> In strlen, is the removed comment no longer relevant?  
>>>>>> (I.e., does
>>>>>>  >>> the ranger solve the problem?)
>>>>>>  >>>
>>>>>>  >>> -      /* The range below may be "inaccurate" if a constant 
>>>>>> has been
>>>>>>  >>> -        substituted earlier for VAL by this pass that 
>>>>>> hasn't been
>>>>>>  >>> -        propagated through the CFG.  This shoud be fixed by 
>>>>>> the new
>>>>>>  >>> -        on-demand VRP if/when it becomes available 
>>>>>> (hopefully in
>>>>>>  >>> -        GCC 11).  */
>>>>>>  >> It should.
>>>>>>  >>
>>>>>>  >>> I'm wondering about the comment added to 
>>>>>> get_range_strlen_dynamic
>>>>>>  >>> and other places:
>>>>>>  >>>
>>>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>>>  >>>
>>>>>>  >>> Is that something you're planning to do in a followup or should
>>>>>>  >>> I remember to do it at some point?
>>>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>>>> would be
>>>>>>  >> beneficial to do so.
>>>>>>  >>
>>>>>>  >>> Otherwise I have no concern with the changes.
>>>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>>>> patchset
>>>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>>>> committing
>>>>>>  >> this chunk.
>>>>>>  >>
>>>>>>  >> Aldy
>>>>>>  >>
>>>>>>  > I have no issue with it, so OK.
>>>>>>
>>>>>> Pushed all 3 patches.
>>>>>>
>>>>>>  >
>>>>>>  > Just an observation that should be pointed out, I believe Aldy 
>>>>>> has all
>>>>>>  > the code for converting to a ranger, but we have not pursued 
>>>>>> that any
>>>>>>  > further yet since there is a regression due to our lack of 
>>>>>> equivalence
>>>>>>  > processing I think?  That should be resolved in the coming 
>>>>>> month, but at
>>>>>>  > the moment is a holdback/concern for converting these 
>>>>>> passes... iirc.
>>>>>>
>>>>>> Yes.  Martin, the take away here is that the strlen/sprintf pass 
>>>>>> has been converted to the new API, but ranger is still not up and 
>>>>>> running on it (even on the branch).
>>>>>>
>>>>>> With the new API, all you have to do is remove all instances of 
>>>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>>>> Below is an untested patch that would convert you to a ranger 
>>>>>> once it's contributed.
>>>>>>
>>>>>> IIRC when I enabled the ranger for your pass a while back, there 
>>>>>> was one or two regressions due to missing equivalences, and the 
>>>>>> rest were because the tests were expecting an actual specific 
>>>>>> range, and the ranger returned a slightly different/better one. 
>>>>>> You'll need to adjust your tests.
>>>>>
>>>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>>>> to remember and CC me on it just in case I might miss it that would
>>>>> be great).
>>>>
>>>> I have applied the patch and ran some tests.  There are quite
>>>> a few failures (see the list below).  I have only looked at
>>>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>>>> boils down to the following test case.  There should be no warning
>>>> for either sprintf call.  The one in h() is a false positive and
>>>> the reason for at least some of the regressions.  Somehow,
>>>> the conversions between int and char are causing Ranger to lose
>>>> the range.
>>>>
>>>> $ cat t.c && gcc -O2 -S -Wall t.c
>>>> char a[2];
>>>>
>>>> extern int x;
>>>>
>>>> signed char f (int min, int max)
>>>> {
>>>>    signed char i = x;
>>>>    return i < min || max < i ? min : i;
>>>> }
>>>>
>>>> void ff (signed char i)
>>>> {
>>>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>>>> }
>>>>
>>>> signed char g (signed char min, signed char max)
>>>> {
>>>>    signed char i = x;
>>>>    return i < min || max < i ? min : i;
>>>> }
>>>>
>>>> void gg (void)
>>>> {
>>>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>> }
>>>>
>>>> t.c: In function ‘gg’:
>>>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes 
>>>> into a region of size 2 [-Wformat-overflow=]
>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>        |                          ^~
>>>> t.c:24:25: note: directive argument in the range [-128, 127]
>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>        |                         ^~~~
>>>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes 
>>>> into a destination of size 2
>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>>
>>>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>>>> the false positive is due to the strlen pass somehow having lost
>>>> the upper bound on the sum of the two string lengths.
>>>
>>> I'm guessing this might have something to do with the strlen pass
>>> calling set_range_info() on the nonconstant results of strlen calls
>>> it can determine the range for.  How would I go about doing it with
>>> ranger?  I see ranger_cache::set_global_range() and the class ctor
>>> takes a gimple_ranger as argument.  Would calling the function be
>>> the right way to do it?  (I couldn't find anything on the Wiki.)
>>
>> I haven't had time to write a new modern wiki yet... probably won't 
>> until well after stage 1 closes either.
>>
>> And no, thats the internal cache of the ranger, which you dont have 
>> access to.
>>
>> At the moment, there isnt a way to inject a "new" global range out of 
>> the blue.  It hasnt been a  requirement before, but wouldn't be 
>> particularly difficult.
>>
>> Short answer, there is no current equivalent of set_range_info() 
>> because we dont have a persistent global cache in the same way, and 
>> the ranger doesnt set  the RANGE_INFO field at this point.. we havent 
>> gotten to the point of reworking that yet.
>>
>> So the question is, what exactly are you trying to do? I presume you 
>> are analyzing  a strlen statement, and are making range conclusions 
>> about either the result or some of the operands are that are not 
>> otherwise exposed in the code?
>>
>> And you are looking to have those values injected into the rangers 
>> calculations as refinements?
>
> Yes, exactly.  This is used both for optimization and for warnings
> (both to enable them and to suppress false positives).
>
> Besides folding strlen and sprintf calls into constants, the strlen
> pass sets the range of the results of the calls when the lengths of
> the arguments/output are known to be at least some number of bytes.
>
> Besides exposing optimization opportunities downstream, the pass
> uses this information to either issue or suppress warnings like in
> the sprintf case above.  -Wformat-overflow issues warnings either
> based on string lengths (or ranges) if they're known, or based on
> the sizes of the arrays the strings are stored in when nothing is
> known about the lengths.  The array size is used as the worst case
> estimate, which can cause false positives.
>
> Here's an example of a downstream optimization made possible by
> this.  Because i's range is known, the range of the snprintf result
> is also known (the range is computed for all snprintf arguments).
> The strlen pass sets the range and subsequent passes eliminate
> the unreachable code.
>
>   void f (int i)
>   {
>     if (i < 100 || 9999 < i)
>       i = 100;
>
>     int n = __builtin_snprintf (0, 0, "%i", i);
>     if (n < 3 || 4 < n)
>       __builtin_abort ();
>   }
>
> Martin
>
That seems like somethings that the range code for builtins should take 
care of rather than be calculated externally and injected

  they are just like any other  builtins that if the range of certain 
arguments are known, you can produce a result? I gather the range of i 
being known to be [100,9999] means we know something about n.  The the 
ranger would be able to do that anywhere and everywhere, not just within 
this pass.  One of the ranger goals is to centralize all range tracking

and the warning pass can continue to check the ranges and issue warnings 
when the ranges arent what it likes.

There may be other hoops you have to continue to jump thru, i don't know 
the specifics of what you deal with,  but at least the basics of ranges 
produced from  a builtin sounds like something that should be internal 
to the range engine.

Andrew

On 11/5/20 8:08 PM, Andrew MacLeod wrote:
> On 11/5/20 7:50 PM, Martin Sebor wrote:
>> On 11/5/20 5:02 PM, Andrew MacLeod wrote:
>>> On 11/5/20 4:02 PM, Martin Sebor wrote:
>>>> On 11/5/20 12:29 PM, Martin Sebor wrote:
>>>>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>>>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>>>>> understand
>>>>>>>  >>> in the sprintf changes so no questions from me (well, almost 
>>>>>>> none).
>>>>>>>  >>> Just some comments:
>>>>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>>>>  >>
>>>>>>>  >>> The current call statement is available in all functions 
>>>>>>> that take
>>>>>>>  >>> a directive argument, as dir->info.callstmt.  There should 
>>>>>>> be no need
>>>>>>>  >>> to also add it as a new argument to the functions that now 
>>>>>>> need it.
>>>>>>>  >> Fixed.
>>>>>>>  >>
>>>>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>>>>  >>>
>>>>>>>  >>> +         value_range vr;
>>>>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>>>>  >>>
>>>>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>>>>  >>> determined it would be automatically set to the maximum for
>>>>>>>  >>> the type.  I like that and have been moving in that direction
>>>>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>>>>  >>> set the max range and succeed).
>>>>>>>  >> I went through all the above idioms and noticed all are being 
>>>>>>> used on
>>>>>>>  >> supported types (integers or pointers).  So range_of_expr 
>>>>>>> will always
>>>>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>>>>  >>
>>>>>>>  >>> Since that isn't so in this case, I think it would still be 
>>>>>>> nice
>>>>>>>  >>> if the added code could be written as if the range were set to
>>>>>>>  >>> varying in this case and (ideally) reduced to just 
>>>>>>> initialization:
>>>>>>>  >>>
>>>>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>>>>  >>>
>>>>>>>  >>> some-function could be an inline helper defined just for the 
>>>>>>> sprintf
>>>>>>>  >>> pass (and maybe also strlen which also seems to use the same 
>>>>>>> pattern),
>>>>>>>  >>> or it could be a value_range AKA irange ctor, or it could be 
>>>>>>> a member
>>>>>>>  >>> of range_query, whatever is the most appropriate.
>>>>>>>  >>>
>>>>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>>>>> expensive,
>>>>>>>  >>> declaring it first and then passing it to that helper to set it
>>>>>>>  >>> would work too).
>>>>>>>  >>>
>>>>>>>  >>> In strlen, is the removed comment no longer relevant? (I.e., 
>>>>>>> does
>>>>>>>  >>> the ranger solve the problem?)
>>>>>>>  >>>
>>>>>>>  >>> -      /* The range below may be "inaccurate" if a constant 
>>>>>>> has been
>>>>>>>  >>> -        substituted earlier for VAL by this pass that 
>>>>>>> hasn't been
>>>>>>>  >>> -        propagated through the CFG.  This shoud be fixed by 
>>>>>>> the new
>>>>>>>  >>> -        on-demand VRP if/when it becomes available 
>>>>>>> (hopefully in
>>>>>>>  >>> -        GCC 11).  */
>>>>>>>  >> It should.
>>>>>>>  >>
>>>>>>>  >>> I'm wondering about the comment added to 
>>>>>>> get_range_strlen_dynamic
>>>>>>>  >>> and other places:
>>>>>>>  >>>
>>>>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>>>>  >>>
>>>>>>>  >>> Is that something you're planning to do in a followup or should
>>>>>>>  >>> I remember to do it at some point?
>>>>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>>>>> would be
>>>>>>>  >> beneficial to do so.
>>>>>>>  >>
>>>>>>>  >>> Otherwise I have no concern with the changes.
>>>>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>>>>> patchset
>>>>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>>>>> committing
>>>>>>>  >> this chunk.
>>>>>>>  >>
>>>>>>>  >> Aldy
>>>>>>>  >>
>>>>>>>  > I have no issue with it, so OK.
>>>>>>>
>>>>>>> Pushed all 3 patches.
>>>>>>>
>>>>>>>  >
>>>>>>>  > Just an observation that should be pointed out, I believe Aldy 
>>>>>>> has all
>>>>>>>  > the code for converting to a ranger, but we have not pursued 
>>>>>>> that any
>>>>>>>  > further yet since there is a regression due to our lack of 
>>>>>>> equivalence
>>>>>>>  > processing I think?  That should be resolved in the coming 
>>>>>>> month, but at
>>>>>>>  > the moment is a holdback/concern for converting these 
>>>>>>> passes... iirc.
>>>>>>>
>>>>>>> Yes.  Martin, the take away here is that the strlen/sprintf pass 
>>>>>>> has been converted to the new API, but ranger is still not up and 
>>>>>>> running on it (even on the branch).
>>>>>>>
>>>>>>> With the new API, all you have to do is remove all instances of 
>>>>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>>>>> Below is an untested patch that would convert you to a ranger 
>>>>>>> once it's contributed.
>>>>>>>
>>>>>>> IIRC when I enabled the ranger for your pass a while back, there 
>>>>>>> was one or two regressions due to missing equivalences, and the 
>>>>>>> rest were because the tests were expecting an actual specific 
>>>>>>> range, and the ranger returned a slightly different/better one. 
>>>>>>> You'll need to adjust your tests.
>>>>>>
>>>>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>>>>> to remember and CC me on it just in case I might miss it that would
>>>>>> be great).
>>>>>
>>>>> I have applied the patch and ran some tests.  There are quite
>>>>> a few failures (see the list below).  I have only looked at
>>>>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>>>>> boils down to the following test case.  There should be no warning
>>>>> for either sprintf call.  The one in h() is a false positive and
>>>>> the reason for at least some of the regressions.  Somehow,
>>>>> the conversions between int and char are causing Ranger to lose
>>>>> the range.
>>>>>
>>>>> $ cat t.c && gcc -O2 -S -Wall t.c
>>>>> char a[2];
>>>>>
>>>>> extern int x;
>>>>>
>>>>> signed char f (int min, int max)
>>>>> {
>>>>>    signed char i = x;
>>>>>    return i < min || max < i ? min : i;
>>>>> }
>>>>>
>>>>> void ff (signed char i)
>>>>> {
>>>>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>>>>> }
>>>>>
>>>>> signed char g (signed char min, signed char max)
>>>>> {
>>>>>    signed char i = x;
>>>>>    return i < min || max < i ? min : i;
>>>>> }
>>>>>
>>>>> void gg (void)
>>>>> {
>>>>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>> }
>>>>>
>>>>> t.c: In function ‘gg’:
>>>>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes 
>>>>> into a region of size 2 [-Wformat-overflow=]
>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>        |                          ^~
>>>>> t.c:24:25: note: directive argument in the range [-128, 127]
>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>        |                         ^~~~
>>>>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes 
>>>>> into a destination of size 2
>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>
>>>>>
>>>>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>>>>> the false positive is due to the strlen pass somehow having lost
>>>>> the upper bound on the sum of the two string lengths.
>>>>
>>>> I'm guessing this might have something to do with the strlen pass
>>>> calling set_range_info() on the nonconstant results of strlen calls
>>>> it can determine the range for.  How would I go about doing it with
>>>> ranger?  I see ranger_cache::set_global_range() and the class ctor
>>>> takes a gimple_ranger as argument.  Would calling the function be
>>>> the right way to do it?  (I couldn't find anything on the Wiki.)
>>>
>>> I haven't had time to write a new modern wiki yet... probably won't 
>>> until well after stage 1 closes either.
>>>
>>> And no, thats the internal cache of the ranger, which you dont have 
>>> access to.
>>>
>>> At the moment, there isnt a way to inject a "new" global range out of 
>>> the blue.  It hasnt been a  requirement before, but wouldn't be 
>>> particularly difficult.
>>>
>>> Short answer, there is no current equivalent of set_range_info() 
>>> because we dont have a persistent global cache in the same way, and 
>>> the ranger doesnt set  the RANGE_INFO field at this point.. we havent 
>>> gotten to the point of reworking that yet.
>>>
>>> So the question is, what exactly are you trying to do? I presume you 
>>> are analyzing  a strlen statement, and are making range conclusions 
>>> about either the result or some of the operands are that are not 
>>> otherwise exposed in the code?
>>>
>>> And you are looking to have those values injected into the rangers 
>>> calculations as refinements?
>>
>> Yes, exactly.  This is used both for optimization and for warnings
>> (both to enable them and to suppress false positives).
>>
>> Besides folding strlen and sprintf calls into constants, the strlen
>> pass sets the range of the results of the calls when the lengths of
>> the arguments/output are known to be at least some number of bytes.
>>
>> Besides exposing optimization opportunities downstream, the pass
>> uses this information to either issue or suppress warnings like in
>> the sprintf case above.  -Wformat-overflow issues warnings either
>> based on string lengths (or ranges) if they're known, or based on
>> the sizes of the arrays the strings are stored in when nothing is
>> known about the lengths.  The array size is used as the worst case
>> estimate, which can cause false positives.
>>
>> Here's an example of a downstream optimization made possible by
>> this.  Because i's range is known, the range of the snprintf result
>> is also known (the range is computed for all snprintf arguments).
>> The strlen pass sets the range and subsequent passes eliminate
>> the unreachable code.
>>
>>   void f (int i)
>>   {
>>     if (i < 100 || 9999 < i)
>>       i = 100;
>>
>>     int n = __builtin_snprintf (0, 0, "%i", i);
>>     if (n < 3 || 4 < n)
>>       __builtin_abort ();
>>   }
>>
>> Martin
>>
> That seems like somethings that the range code for builtins should take 
> care of rather than be calculated externally and injected
> 
>   they are just like any other  builtins that if the range of certain 
> arguments are known, you can produce a result?

The strlen optimization is more involved in that it keeps track of
the state of the strings as they're being created by calls to string
functions like strcpy (or single and multi-byte stores).  So the only
way for Ranger to figure out the range of the result of a strlen call
is to query the strlen pass.  That might work via a callback but it
would of course only work while the strlen pass is running.  The same
goes for the sprintf results (which are based on the strlen data).
It might be good enough as long as the ranges can also be exported
to downstream passes.

It might be possible to compute this on demand too (and introduce
something like a strlen_range_query) but it would need reworking
the strlen pass.  I like the on-demand design but in the strlen
case I'm not sure the benefits would justify the costs.

> I gather the range of i 
> being known to be [100,9999] means we know something about n.  The the 
> ranger would be able to do that anywhere and everywhere, not just within 
> this pass.  One of the ranger goals is to centralize all range tracking
> 
> and the warning pass can continue to check the ranges and issue warnings 
> when the ranges arent what it likes.

In this simple case, yes.  But consider a more involved example:

   char a[8];

   void f (int i)
   {
     if (i < 100 || 9999 < i) i = 100;
     memcpy (a, "123", 3);   // strlen(a) is in [3, 7]
     int n = snprintf (0, 0, "%s %i", a, i);   // n is in [7, 12]
     if (n < 7 || 12 < n)   // folded to false
       abort ();
   }

To compute n's range you need to know not only that of i but also
the length of a (or its range in this case).  That's what the strlen
optimization enables.

> 
> There may be other hoops you have to continue to jump thru, i don't know 
> the specifics of what you deal with,  but at least the basics of ranges 
> produced from  a builtin sounds like something that should be internal 
> to the range engine.

It might help to meet to help each other come up to speed on what
we're doing, what we're planning, and how to best integrate the work
and enable future enhancements.  I still know very little about
the Ranger internals and it might be helpful to you to learn more
about some of the warnings I work on and the optimizations that
enable them (and what I'd like to do in the future).

Martin

On 11/6/20 11:13 AM, Martin Sebor wrote:
> On 11/5/20 8:08 PM, Andrew MacLeod wrote:
>> On 11/5/20 7:50 PM, Martin Sebor wrote:
>>> On 11/5/20 5:02 PM, Andrew MacLeod wrote:
>>>> On 11/5/20 4:02 PM, Martin Sebor wrote:
>>>>> On 11/5/20 12:29 PM, Martin Sebor wrote:
>>>>>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>>>>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>>>>>> understand
>>>>>>>>  >>> in the sprintf changes so no questions from me (well, 
>>>>>>>> almost none).
>>>>>>>>  >>> Just some comments:
>>>>>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>>>>>  >>
>>>>>>>>  >>> The current call statement is available in all functions 
>>>>>>>> that take
>>>>>>>>  >>> a directive argument, as dir->info.callstmt.  There should 
>>>>>>>> be no need
>>>>>>>>  >>> to also add it as a new argument to the functions that now 
>>>>>>>> need it.
>>>>>>>>  >> Fixed.
>>>>>>>>  >>
>>>>>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>>>>>  >>>
>>>>>>>>  >>> +         value_range vr;
>>>>>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>>>>>  >>>
>>>>>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>>>>>  >>> determined it would be automatically set to the maximum for
>>>>>>>>  >>> the type.  I like that and have been moving in that direction
>>>>>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>>>>>  >>> set the max range and succeed).
>>>>>>>>  >> I went through all the above idioms and noticed all are 
>>>>>>>> being used on
>>>>>>>>  >> supported types (integers or pointers). So range_of_expr 
>>>>>>>> will always
>>>>>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>>>>>  >>
>>>>>>>>  >>> Since that isn't so in this case, I think it would still 
>>>>>>>> be nice
>>>>>>>>  >>> if the added code could be written as if the range were 
>>>>>>>> set to
>>>>>>>>  >>> varying in this case and (ideally) reduced to just 
>>>>>>>> initialization:
>>>>>>>>  >>>
>>>>>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>>>>>  >>>
>>>>>>>>  >>> some-function could be an inline helper defined just for 
>>>>>>>> the sprintf
>>>>>>>>  >>> pass (and maybe also strlen which also seems to use the 
>>>>>>>> same pattern),
>>>>>>>>  >>> or it could be a value_range AKA irange ctor, or it could 
>>>>>>>> be a member
>>>>>>>>  >>> of range_query, whatever is the most appropriate.
>>>>>>>>  >>>
>>>>>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>>>>>> expensive,
>>>>>>>>  >>> declaring it first and then passing it to that helper to 
>>>>>>>> set it
>>>>>>>>  >>> would work too).
>>>>>>>>  >>>
>>>>>>>>  >>> In strlen, is the removed comment no longer relevant? 
>>>>>>>> (I.e., does
>>>>>>>>  >>> the ranger solve the problem?)
>>>>>>>>  >>>
>>>>>>>>  >>> -      /* The range below may be "inaccurate" if a 
>>>>>>>> constant has been
>>>>>>>>  >>> -        substituted earlier for VAL by this pass that 
>>>>>>>> hasn't been
>>>>>>>>  >>> -        propagated through the CFG. This shoud be fixed 
>>>>>>>> by the new
>>>>>>>>  >>> -        on-demand VRP if/when it becomes available 
>>>>>>>> (hopefully in
>>>>>>>>  >>> -        GCC 11).  */
>>>>>>>>  >> It should.
>>>>>>>>  >>
>>>>>>>>  >>> I'm wondering about the comment added to 
>>>>>>>> get_range_strlen_dynamic
>>>>>>>>  >>> and other places:
>>>>>>>>  >>>
>>>>>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>>>>>  >>>
>>>>>>>>  >>> Is that something you're planning to do in a followup or 
>>>>>>>> should
>>>>>>>>  >>> I remember to do it at some point?
>>>>>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>>>>>> would be
>>>>>>>>  >> beneficial to do so.
>>>>>>>>  >>
>>>>>>>>  >>> Otherwise I have no concern with the changes.
>>>>>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>>>>>> patchset
>>>>>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>>>>>> committing
>>>>>>>>  >> this chunk.
>>>>>>>>  >>
>>>>>>>>  >> Aldy
>>>>>>>>  >>
>>>>>>>>  > I have no issue with it, so OK.
>>>>>>>>
>>>>>>>> Pushed all 3 patches.
>>>>>>>>
>>>>>>>>  >
>>>>>>>>  > Just an observation that should be pointed out, I believe 
>>>>>>>> Aldy has all
>>>>>>>>  > the code for converting to a ranger, but we have not pursued 
>>>>>>>> that any
>>>>>>>>  > further yet since there is a regression due to our lack of 
>>>>>>>> equivalence
>>>>>>>>  > processing I think?  That should be resolved in the coming 
>>>>>>>> month, but at
>>>>>>>>  > the moment is a holdback/concern for converting these 
>>>>>>>> passes... iirc.
>>>>>>>>
>>>>>>>> Yes.  Martin, the take away here is that the strlen/sprintf 
>>>>>>>> pass has been converted to the new API, but ranger is still not 
>>>>>>>> up and running on it (even on the branch).
>>>>>>>>
>>>>>>>> With the new API, all you have to do is remove all instances of 
>>>>>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>>>>>> Below is an untested patch that would convert you to a ranger 
>>>>>>>> once it's contributed.
>>>>>>>>
>>>>>>>> IIRC when I enabled the ranger for your pass a while back, 
>>>>>>>> there was one or two regressions due to missing equivalences, 
>>>>>>>> and the rest were because the tests were expecting an actual 
>>>>>>>> specific range, and the ranger returned a slightly 
>>>>>>>> different/better one. You'll need to adjust your tests.
>>>>>>>
>>>>>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>>>>>> to remember and CC me on it just in case I might miss it that would
>>>>>>> be great).
>>>>>>
>>>>>> I have applied the patch and ran some tests.  There are quite
>>>>>> a few failures (see the list below).  I have only looked at
>>>>>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>>>>>> boils down to the following test case.  There should be no warning
>>>>>> for either sprintf call.  The one in h() is a false positive and
>>>>>> the reason for at least some of the regressions. Somehow,
>>>>>> the conversions between int and char are causing Ranger to lose
>>>>>> the range.
>>>>>>
>>>>>> $ cat t.c && gcc -O2 -S -Wall t.c
>>>>>> char a[2];
>>>>>>
>>>>>> extern int x;
>>>>>>
>>>>>> signed char f (int min, int max)
>>>>>> {
>>>>>>    signed char i = x;
>>>>>>    return i < min || max < i ? min : i;
>>>>>> }
>>>>>>
>>>>>> void ff (signed char i)
>>>>>> {
>>>>>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>>>>>> }
>>>>>>
>>>>>> signed char g (signed char min, signed char max)
>>>>>> {
>>>>>>    signed char i = x;
>>>>>>    return i < min || max < i ? min : i;
>>>>>> }
>>>>>>
>>>>>> void gg (void)
>>>>>> {
>>>>>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>> }
>>>>>>
>>>>>> t.c: In function ‘gg’:
>>>>>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes 
>>>>>> into a region of size 2 [-Wformat-overflow=]
>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>        |                          ^~
>>>>>> t.c:24:25: note: directive argument in the range [-128, 127]
>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>        |                         ^~~~
>>>>>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes 
>>>>>> into a destination of size 2
>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>
>>>>>>
>>>>>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>>>>>> the false positive is due to the strlen pass somehow having lost
>>>>>> the upper bound on the sum of the two string lengths.
>>>>>
>>>>> I'm guessing this might have something to do with the strlen pass
>>>>> calling set_range_info() on the nonconstant results of strlen calls
>>>>> it can determine the range for.  How would I go about doing it with
>>>>> ranger?  I see ranger_cache::set_global_range() and the class ctor
>>>>> takes a gimple_ranger as argument.  Would calling the function be
>>>>> the right way to do it?  (I couldn't find anything on the Wiki.)
>>>>
>>>> I haven't had time to write a new modern wiki yet... probably won't 
>>>> until well after stage 1 closes either.
>>>>
>>>> And no, thats the internal cache of the ranger, which you dont have 
>>>> access to.
>>>>
>>>> At the moment, there isnt a way to inject a "new" global range out 
>>>> of the blue.  It hasnt been a  requirement before, but wouldn't be 
>>>> particularly difficult.
>>>>
>>>> Short answer, there is no current equivalent of set_range_info() 
>>>> because we dont have a persistent global cache in the same way, and 
>>>> the ranger doesnt set  the RANGE_INFO field at this point.. we 
>>>> havent gotten to the point of reworking that yet.
>>>>
>>>> So the question is, what exactly are you trying to do? I presume 
>>>> you are analyzing  a strlen statement, and are making range 
>>>> conclusions about either the result or some of the operands are 
>>>> that are not otherwise exposed in the code?
>>>>
>>>> And you are looking to have those values injected into the rangers 
>>>> calculations as refinements?
>>>
>>> Yes, exactly.  This is used both for optimization and for warnings
>>> (both to enable them and to suppress false positives).
>>>
>>> Besides folding strlen and sprintf calls into constants, the strlen
>>> pass sets the range of the results of the calls when the lengths of
>>> the arguments/output are known to be at least some number of bytes.
>>>
>>> Besides exposing optimization opportunities downstream, the pass
>>> uses this information to either issue or suppress warnings like in
>>> the sprintf case above.  -Wformat-overflow issues warnings either
>>> based on string lengths (or ranges) if they're known, or based on
>>> the sizes of the arrays the strings are stored in when nothing is
>>> known about the lengths.  The array size is used as the worst case
>>> estimate, which can cause false positives.
>>>
>>> Here's an example of a downstream optimization made possible by
>>> this.  Because i's range is known, the range of the snprintf result
>>> is also known (the range is computed for all snprintf arguments).
>>> The strlen pass sets the range and subsequent passes eliminate
>>> the unreachable code.
>>>
>>>   void f (int i)
>>>   {
>>>     if (i < 100 || 9999 < i)
>>>       i = 100;
>>>
>>>     int n = __builtin_snprintf (0, 0, "%i", i);
>>>     if (n < 3 || 4 < n)
>>>       __builtin_abort ();
>>>   }
>>>
>>> Martin
>>>
>> That seems like somethings that the range code for builtins should 
>> take care of rather than be calculated externally and injected
>>
>>   they are just like any other  builtins that if the range of certain 
>> arguments are known, you can produce a result?
>
> The strlen optimization is more involved in that it keeps track of
> the state of the strings as they're being created by calls to string
> functions like strcpy (or single and multi-byte stores).  So the only
> way for Ranger to figure out the range of the result of a strlen call
> is to query the strlen pass.  That might work via a callback but it
> would of course only work while the strlen pass is running.  The same
> goes for the sprintf results (which are based on the strlen data).
> It might be good enough as long as the ranges can also be exported
> to downstream passes.
>
> It might be possible to compute this on demand too (and introduce
> something like a strlen_range_query) but it would need reworking
> the strlen pass.  I like the on-demand design but in the strlen
> case I'm not sure the benefits would justify the costs.
>
>> I gather the range of i being known to be [100,9999] means we know 
>> something about n.  The the ranger would be able to do that anywhere 
>> and everywhere, not just within this pass.  One of the ranger goals 
>> is to centralize all range tracking
>>
>> and the warning pass can continue to check the ranges and issue 
>> warnings when the ranges arent what it likes.
>
> In this simple case, yes.  But consider a more involved example:
>
>   char a[8];
>
>   void f (int i)
>   {
>     if (i < 100 || 9999 < i) i = 100;
>     memcpy (a, "123", 3);   // strlen(a) is in [3, 7]
>     int n = snprintf (0, 0, "%s %i", a, i);   // n is in [7, 12]
>     if (n < 7 || 12 < n)   // folded to false
>       abort ();
>   }
>
> To compute n's range you need to know not only that of i but also
> the length of a (or its range in this case).  That's what the strlen
> optimization enables.
>
Thats why we need precise examples :-)

Ive attached a thouroughly untested patch which you can apply to the 
latest trunk stuff I've checked  in and try.  It gives you an entry 
point into the ranger:

bool import_global_range (tree name, irange &r);
NAME is the ssa_name you are updating the global value for, and
R is the new range you wish to add.  Note it is not a replacement, but 
rather an intergration.  ie, and extra source of information the ranger 
can't see.

you can call it with your newly calculated value,and it will enhance the 
value the ranger already has with the extra information.. so above, you 
would call it with

  ranger->import_global_range (n_6, [7,12])

this will set the range for n_6 to the INTERSECTION of [7,12] and 
whatever the ranger already knows.  If its varying, then it'll set it to 
[7,12]. If the ranger had already figured it was [9,20] for some reason, 
then the result will be [9,12] aftewr this call, and it will reurn FALSE 
indicating the new range is different than the range you passed in.  if 
you care.

It should also push the range of n_6 forward into pother blocks, so on 
entry to the block with the abort(), it should have a range of [], 
indicating it can't eb reached.

There are a couple of caveats.

1) It may or may not affect other dependent value at this point 
depending on the order you visit things since the propagation of 
dependency chains is not complete yet.  ie  if the abort() block has
h_4 = n_6 + 2
g_2 = h_4 + 6   , g_2 may not be reevaluated with the new range... It 
might.. but I cant guarantee it just now.

2) If you wish this value to be exported into SSA_NAME_RANGE_INFO, you 
will have to continue doing that manually.  The ranger cache is not 
currently ever exported the RANGE_INFO fields.  We've run into numerous 
issues with "differences": that occur when a multi-range is converted to 
a value_range and although the range is correct, it may be different 
that the orignal and produce different results.   We are waiting until 
we replace the SSA_NAME_RANGE_INFO mechanism.

Anyway, let me known if this works. I havent had a chance to test it 
yet.   If it works we can add it to the full API

Andrew

On 11/5/20 2:29 PM, Martin Sebor wrote:
> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>
>
> I have applied the patch and ran some tests.  There are quite
> a few failures (see the list below).  I have only looked at
> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
> boils down to the following test case.  There should be no warning
> for either sprintf call.  The one in h() is a false positive and
> the reason for at least some of the regressions.  Somehow,
> the conversions between int and char are causing Ranger to lose
> the range.
>
> $ cat t.c && gcc -O2 -S -Wall t.c
> char a[2];
>
> extern int x;
>
> signed char f (int min, int max)
> {
>   signed char i = x;
>   return i < min || max < i ? min : i;
> }
>
> void ff (signed char i)
> {
>   __builtin_sprintf (a, "%i", f (0, 9));   // okay
> }
>
> signed char g (signed char min, signed char max)
> {
>   signed char i = x;
>   return i < min || max < i ? min : i;
> }
>
> void gg (void)
> {
>   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
> }
>


The latest changes resolve the issues witg the gg() case.
you will now get a range of [0,9] for the temporary:
=========== BB 4 ============
     <bb 4> :
     # iftmp.3_10 = PHI <0(2), i_6(3)>
     _2 = (int) iftmp.3_10;
     __builtin_sprintf (&a, "%i", _2);
     return;

_2 : int [0, 9]
iftmp.3_10 : signed char [0, 9]




The code issued for the 2 routines is very different. The first routine 
produces:

  =========== BB 2 ============
     <bb 2> :
     x.0_4 = x;
     i_6 = (signed char) x.0_4;
     _7 = (int) i_6;
     if (_7 < 0)
       goto <bb 4>; [50.00%]
     else
       goto <bb 3>; [50.00%]

_7 : int [-128, 127]
2->4  (T) x.0_4 :       int [-INF, -257][-128, -1][128, +INF]
2->4  (T) i_6 :         signed char [-INF, -1]
2->4  (T) _7 :  int [-128, -1]
2->3  (F) x.0_4 :       int [-INF, -129][0, 127][256, +INF]
2->3  (F) i_6 :         signed char [0, +INF]
2->3  (F) _7 :  int [0, 127]

=========== BB 3 ============
i_6     signed char [0, +INF]
_7      int [0, 127]
     <bb 3> :
     if (_7 > 9)
       goto <bb 4>; [50.00%]
     else
       goto <bb 5>; [50.00%]

3->4  (T) _7 :  int [10, 127]
3->5  (F) _7 :  int [0, 9]

=========== BB 4 ============
     <bb 4> :

=========== BB 5 ============
     <bb 5> :
     # iftmp.1_9 = PHI <i_6(3), 0(4)>
     _2 = (int) iftmp.1_9;
     __builtin_sprintf (&a, "%i", _2);
     return;

_2 : int [0, 127]
iftmp.1_9 : signed char [0, +INF]


Note that we figure out that _7 is [0,9] from 3->5,  except the PHI node 
in block 5 refers to i_6...

i_6 is not referred to in BB3, so this generation of ranger doesnt see 
it as an exportable value, and thus doesnt do a calculation for it like 
it does in BB2, where it is defined.  So it only picks up the first of 
the 2 conditions for i_6 that is live on entry to BB3 ([0, +INF])

2 things are in the pipe which will resolve this
1 - equivalences.  _7 is a cast-copy of i_6.  since the range of _7 
falls within the range of a signed char, the forthcoming 
equivalency/relational work will have i_6 match the same value as _7.
2 - The next generation GORI engine will allow for recalculation of 
dependency chains from outside the block when appropriate, so this will 
cause i_6 to also be an exportable value from BB 3 as well. which will 
also then get the [0,9] range in circumstances in which it isnt a simply 
copy.


Neither of which helps you right now with the perfect precision  :-P

Andrew

On 11/6/20 2:54 PM, Andrew MacLeod wrote:
> On 11/6/20 11:13 AM, Martin Sebor wrote:
>> On 11/5/20 8:08 PM, Andrew MacLeod wrote:
>>> On 11/5/20 7:50 PM, Martin Sebor wrote:
>>>> On 11/5/20 5:02 PM, Andrew MacLeod wrote:
>>>>> On 11/5/20 4:02 PM, Martin Sebor wrote:
>>>>>> On 11/5/20 12:29 PM, Martin Sebor wrote:
>>>>>>> On 10/1/20 11:25 AM, Martin Sebor wrote:
>>>>>>>> On 10/1/20 9:34 AM, Aldy Hernandez wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 10/1/20 3:22 PM, Andrew MacLeod wrote:
>>>>>>>>>  > On 10/1/20 5:05 AM, Aldy Hernandez via Gcc-patches wrote:
>>>>>>>>>  >>> Thanks for doing all this!  There isn't anything I don't 
>>>>>>>>> understand
>>>>>>>>>  >>> in the sprintf changes so no questions from me (well, 
>>>>>>>>> almost none).
>>>>>>>>>  >>> Just some comments:
>>>>>>>>>  >> Thanks for your comments on the sprintf/strlen API conversion.
>>>>>>>>>  >>
>>>>>>>>>  >>> The current call statement is available in all functions 
>>>>>>>>> that take
>>>>>>>>>  >>> a directive argument, as dir->info.callstmt.  There should 
>>>>>>>>> be no need
>>>>>>>>>  >>> to also add it as a new argument to the functions that now 
>>>>>>>>> need it.
>>>>>>>>>  >> Fixed.
>>>>>>>>>  >>
>>>>>>>>>  >>> The change adds code along these lines in a bunch of places:
>>>>>>>>>  >>>
>>>>>>>>>  >>> +         value_range vr;
>>>>>>>>>  >>> +         if (!query->range_of_expr (vr, arg, stmt))
>>>>>>>>>  >>> +           vr.set_varying (TREE_TYPE (arg));
>>>>>>>>>  >>>
>>>>>>>>>  >>> I thought under the new Ranger APIs when a range couldn't be
>>>>>>>>>  >>> determined it would be automatically set to the maximum for
>>>>>>>>>  >>> the type.  I like that and have been moving in that direction
>>>>>>>>>  >>> with my code myself (rather than having an API fail, have it
>>>>>>>>>  >>> set the max range and succeed).
>>>>>>>>>  >> I went through all the above idioms and noticed all are 
>>>>>>>>> being used on
>>>>>>>>>  >> supported types (integers or pointers). So range_of_expr 
>>>>>>>>> will always
>>>>>>>>>  >> return true.  I've removed the if() and the set_varying.
>>>>>>>>>  >>
>>>>>>>>>  >>> Since that isn't so in this case, I think it would still 
>>>>>>>>> be nice
>>>>>>>>>  >>> if the added code could be written as if the range were 
>>>>>>>>> set to
>>>>>>>>>  >>> varying in this case and (ideally) reduced to just 
>>>>>>>>> initialization:
>>>>>>>>>  >>>
>>>>>>>>>  >>>     value_range vr = some-function (query, stmt, arg);
>>>>>>>>>  >>>
>>>>>>>>>  >>> some-function could be an inline helper defined just for 
>>>>>>>>> the sprintf
>>>>>>>>>  >>> pass (and maybe also strlen which also seems to use the 
>>>>>>>>> same pattern),
>>>>>>>>>  >>> or it could be a value_range AKA irange ctor, or it could 
>>>>>>>>> be a member
>>>>>>>>>  >>> of range_query, whatever is the most appropriate.
>>>>>>>>>  >>>
>>>>>>>>>  >>> (If assigning/copying a value_range is thought to be too 
>>>>>>>>> expensive,
>>>>>>>>>  >>> declaring it first and then passing it to that helper to 
>>>>>>>>> set it
>>>>>>>>>  >>> would work too).
>>>>>>>>>  >>>
>>>>>>>>>  >>> In strlen, is the removed comment no longer relevant? 
>>>>>>>>> (I.e., does
>>>>>>>>>  >>> the ranger solve the problem?)
>>>>>>>>>  >>>
>>>>>>>>>  >>> -      /* The range below may be "inaccurate" if a 
>>>>>>>>> constant has been
>>>>>>>>>  >>> -        substituted earlier for VAL by this pass that 
>>>>>>>>> hasn't been
>>>>>>>>>  >>> -        propagated through the CFG. This shoud be fixed 
>>>>>>>>> by the new
>>>>>>>>>  >>> -        on-demand VRP if/when it becomes available 
>>>>>>>>> (hopefully in
>>>>>>>>>  >>> -        GCC 11).  */
>>>>>>>>>  >> It should.
>>>>>>>>>  >>
>>>>>>>>>  >>> I'm wondering about the comment added to 
>>>>>>>>> get_range_strlen_dynamic
>>>>>>>>>  >>> and other places:
>>>>>>>>>  >>>
>>>>>>>>>  >>> +         // FIXME: Use range_query instead of global ranges.
>>>>>>>>>  >>>
>>>>>>>>>  >>> Is that something you're planning to do in a followup or 
>>>>>>>>> should
>>>>>>>>>  >>> I remember to do it at some point?
>>>>>>>>>  >> I'm not planning on doing it.  It's just a reminder that it 
>>>>>>>>> would be
>>>>>>>>>  >> beneficial to do so.
>>>>>>>>>  >>
>>>>>>>>>  >>> Otherwise I have no concern with the changes.
>>>>>>>>>  >> It's not cleared whether Andrew approved all 3 parts of the 
>>>>>>>>> patchset
>>>>>>>>>  >> or just the valuation part.  I'll wait for his nod before 
>>>>>>>>> committing
>>>>>>>>>  >> this chunk.
>>>>>>>>>  >>
>>>>>>>>>  >> Aldy
>>>>>>>>>  >>
>>>>>>>>>  > I have no issue with it, so OK.
>>>>>>>>>
>>>>>>>>> Pushed all 3 patches.
>>>>>>>>>
>>>>>>>>>  >
>>>>>>>>>  > Just an observation that should be pointed out, I believe 
>>>>>>>>> Aldy has all
>>>>>>>>>  > the code for converting to a ranger, but we have not pursued 
>>>>>>>>> that any
>>>>>>>>>  > further yet since there is a regression due to our lack of 
>>>>>>>>> equivalence
>>>>>>>>>  > processing I think?  That should be resolved in the coming 
>>>>>>>>> month, but at
>>>>>>>>>  > the moment is a holdback/concern for converting these 
>>>>>>>>> passes... iirc.
>>>>>>>>>
>>>>>>>>> Yes.  Martin, the take away here is that the strlen/sprintf 
>>>>>>>>> pass has been converted to the new API, but ranger is still not 
>>>>>>>>> up and running on it (even on the branch).
>>>>>>>>>
>>>>>>>>> With the new API, all you have to do is remove all instances of 
>>>>>>>>> evrp_range_analyzer and replace them with a ranger. That's it.
>>>>>>>>> Below is an untested patch that would convert you to a ranger 
>>>>>>>>> once it's contributed.
>>>>>>>>>
>>>>>>>>> IIRC when I enabled the ranger for your pass a while back, 
>>>>>>>>> there was one or two regressions due to missing equivalences, 
>>>>>>>>> and the rest were because the tests were expecting an actual 
>>>>>>>>> specific range, and the ranger returned a slightly 
>>>>>>>>> different/better one. You'll need to adjust your tests.
>>>>>>>>
>>>>>>>> Ack.  I'll be on the lookout for the ranger commit (if you hppen
>>>>>>>> to remember and CC me on it just in case I might miss it that would
>>>>>>>> be great).
>>>>>>>
>>>>>>> I have applied the patch and ran some tests.  There are quite
>>>>>>> a few failures (see the list below).  I have only looked at
>>>>>>> a couple.  The one in in gcc.dg/tree-ssa/builtin-sprintf-warn-3.c
>>>>>>> boils down to the following test case.  There should be no warning
>>>>>>> for either sprintf call.  The one in h() is a false positive and
>>>>>>> the reason for at least some of the regressions. Somehow,
>>>>>>> the conversions between int and char are causing Ranger to lose
>>>>>>> the range.
>>>>>>>
>>>>>>> $ cat t.c && gcc -O2 -S -Wall t.c
>>>>>>> char a[2];
>>>>>>>
>>>>>>> extern int x;
>>>>>>>
>>>>>>> signed char f (int min, int max)
>>>>>>> {
>>>>>>>    signed char i = x;
>>>>>>>    return i < min || max < i ? min : i;
>>>>>>> }
>>>>>>>
>>>>>>> void ff (signed char i)
>>>>>>> {
>>>>>>>    __builtin_sprintf (a, "%i", f (0, 9));   // okay
>>>>>>> }
>>>>>>>
>>>>>>> signed char g (signed char min, signed char max)
>>>>>>> {
>>>>>>>    signed char i = x;
>>>>>>>    return i < min || max < i ? min : i;
>>>>>>> }
>>>>>>>
>>>>>>> void gg (void)
>>>>>>> {
>>>>>>>    __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>> }
>>>>>>>
>>>>>>> t.c: In function ‘gg’:
>>>>>>> t.c:24:26: warning: ‘%i’ directive writing between 1 and 4 bytes 
>>>>>>> into a region of size 2 [-Wformat-overflow=]
>>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>>        |                          ^~
>>>>>>> t.c:24:25: note: directive argument in the range [-128, 127]
>>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>>        |                         ^~~~
>>>>>>> t.c:24:3: note: ‘__builtin_sprintf’ output between 2 and 5 bytes 
>>>>>>> into a destination of size 2
>>>>>>>     24 |   __builtin_sprintf (a, "%i", g (0, 9));   // bogus warning
>>>>>>>        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>
>>>>>>>
>>>>>>> Another failure (the one in builtin-sprintf-warn-22.c) is this where
>>>>>>> the false positive is due to the strlen pass somehow having lost
>>>>>>> the upper bound on the sum of the two string lengths.
>>>>>>
>>>>>> I'm guessing this might have something to do with the strlen pass
>>>>>> calling set_range_info() on the nonconstant results of strlen calls
>>>>>> it can determine the range for.  How would I go about doing it with
>>>>>> ranger?  I see ranger_cache::set_global_range() and the class ctor
>>>>>> takes a gimple_ranger as argument.  Would calling the function be
>>>>>> the right way to do it?  (I couldn't find anything on the Wiki.)
>>>>>
>>>>> I haven't had time to write a new modern wiki yet... probably won't 
>>>>> until well after stage 1 closes either.
>>>>>
>>>>> And no, thats the internal cache of the ranger, which you dont have 
>>>>> access to.
>>>>>
>>>>> At the moment, there isnt a way to inject a "new" global range out 
>>>>> of the blue.  It hasnt been a  requirement before, but wouldn't be 
>>>>> particularly difficult.
>>>>>
>>>>> Short answer, there is no current equivalent of set_range_info() 
>>>>> because we dont have a persistent global cache in the same way, and 
>>>>> the ranger doesnt set  the RANGE_INFO field at this point.. we 
>>>>> havent gotten to the point of reworking that yet.
>>>>>
>>>>> So the question is, what exactly are you trying to do? I presume 
>>>>> you are analyzing  a strlen statement, and are making range 
>>>>> conclusions about either the result or some of the operands are 
>>>>> that are not otherwise exposed in the code?
>>>>>
>>>>> And you are looking to have those values injected into the rangers 
>>>>> calculations as refinements?
>>>>
>>>> Yes, exactly.  This is used both for optimization and for warnings
>>>> (both to enable them and to suppress false positives).
>>>>
>>>> Besides folding strlen and sprintf calls into constants, the strlen
>>>> pass sets the range of the results of the calls when the lengths of
>>>> the arguments/output are known to be at least some number of bytes.
>>>>
>>>> Besides exposing optimization opportunities downstream, the pass
>>>> uses this information to either issue or suppress warnings like in
>>>> the sprintf case above.  -Wformat-overflow issues warnings either
>>>> based on string lengths (or ranges) if they're known, or based on
>>>> the sizes of the arrays the strings are stored in when nothing is
>>>> known about the lengths.  The array size is used as the worst case
>>>> estimate, which can cause false positives.
>>>>
>>>> Here's an example of a downstream optimization made possible by
>>>> this.  Because i's range is known, the range of the snprintf result
>>>> is also known (the range is computed for all snprintf arguments).
>>>> The strlen pass sets the range and subsequent passes eliminate
>>>> the unreachable code.
>>>>
>>>>   void f (int i)
>>>>   {
>>>>     if (i < 100 || 9999 < i)
>>>>       i = 100;
>>>>
>>>>     int n = __builtin_snprintf (0, 0, "%i", i);
>>>>     if (n < 3 || 4 < n)
>>>>       __builtin_abort ();
>>>>   }
>>>>
>>>> Martin
>>>>
>>> That seems like somethings that the range code for builtins should 
>>> take care of rather than be calculated externally and injected
>>>
>>>   they are just like any other  builtins that if the range of certain 
>>> arguments are known, you can produce a result?
>>
>> The strlen optimization is more involved in that it keeps track of
>> the state of the strings as they're being created by calls to string
>> functions like strcpy (or single and multi-byte stores).  So the only
>> way for Ranger to figure out the range of the result of a strlen call
>> is to query the strlen pass.  That might work via a callback but it
>> would of course only work while the strlen pass is running.  The same
>> goes for the sprintf results (which are based on the strlen data).
>> It might be good enough as long as the ranges can also be exported
>> to downstream passes.
>>
>> It might be possible to compute this on demand too (and introduce
>> something like a strlen_range_query) but it would need reworking
>> the strlen pass.  I like the on-demand design but in the strlen
>> case I'm not sure the benefits would justify the costs.
>>
>>> I gather the range of i being known to be [100,9999] means we know 
>>> something about n.  The the ranger would be able to do that anywhere 
>>> and everywhere, not just within this pass.  One of the ranger goals 
>>> is to centralize all range tracking
>>>
>>> and the warning pass can continue to check the ranges and issue 
>>> warnings when the ranges arent what it likes.
>>
>> In this simple case, yes.  But consider a more involved example:
>>
>>   char a[8];
>>
>>   void f (int i)
>>   {
>>     if (i < 100 || 9999 < i) i = 100;
>>     memcpy (a, "123", 3);   // strlen(a) is in [3, 7]
>>     int n = snprintf (0, 0, "%s %i", a, i);   // n is in [7, 12]
>>     if (n < 7 || 12 < n)   // folded to false
>>       abort ();
>>   }
>>
>> To compute n's range you need to know not only that of i but also
>> the length of a (or its range in this case).  That's what the strlen
>> optimization enables.
>>
> Thats why we need precise examples :-)
> 
> Ive attached a thouroughly untested patch which you can apply to the 
> latest trunk stuff I've checked  in and try.  It gives you an entry 
> point into the ranger:
> 
> bool import_global_range (tree name, irange &r);
> NAME is the ssa_name you are updating the global value for, and
> R is the new range you wish to add.  Note it is not a replacement, but 
> rather an intergration.  ie, and extra source of information the ranger 
> can't see.
> 
> you can call it with your newly calculated value,and it will enhance the 
> value the ranger already has with the extra information.. so above, you 
> would call it with
> 
>   ranger->import_global_range (n_6, [7,12])
> 
> this will set the range for n_6 to the INTERSECTION of [7,12] and 
> whatever the ranger already knows.  If its varying, then it'll set it to 
> [7,12]. If the ranger had already figured it was [9,20] for some reason, 
> then the result will be [9,12] aftewr this call, and it will reurn FALSE 
> indicating the new range is different than the range you passed in.  if 
> you care.
> 
> It should also push the range of n_6 forward into pother blocks, so on 
> entry to the block with the abort(), it should have a range of [], 
> indicating it can't eb reached.
> 
> There are a couple of caveats.
> 
> 1) It may or may not affect other dependent value at this point 
> depending on the order you visit things since the propagation of 
> dependency chains is not complete yet.  ie  if the abort() block has
> h_4 = n_6 + 2
> g_2 = h_4 + 6   , g_2 may not be reevaluated with the new range... It 
> might.. but I cant guarantee it just now.
> 
> 2) If you wish this value to be exported into SSA_NAME_RANGE_INFO, you 
> will have to continue doing that manually.  The ranger cache is not 
> currently ever exported the RANGE_INFO fields.  We've run into numerous 
> issues with "differences": that occur when a multi-range is converted to 
> a value_range and although the range is correct, it may be different 
> that the orignal and produce different results.   We are waiting until 
> we replace the SSA_NAME_RANGE_INFO mechanism.
> 
> Anyway, let me known if this works. I havent had a chance to test it 
> yet.   If it works we can add it to the full API

Thanks a lot!  I'll try to get to it sometime this week if I can.

Martin